[Craig Rodrigues <rodrigc@xxxxxxxxxxxx>]

On Sun, Apr 02, 2000 at 12:49:02AM +0900, Richard Sharpe wrote:
> Hi,
> 
> I suspect that NetFilter is too low level for what Nathan wants.

Not necessarily.  Netfilter can allow you to do a lot of things in user space.
For example, you can create a device, such as /dev/netfilter_ipv4.
>From *user space*, you can read and possibly write to this device.
You read in the full packet before it enters the protocol stack.
You can accept the packet, modify the packet, forward the packet, etc.
By operating in user space, you can develop and test an application outside
the kernel. 
If the code is in C, you can recompile it as a kernel module and run it in 
kernel space.

Ideally, someone would add Netfilter support to libpcap, so someone
could just use pcap and not worry about the underlying packet
capture implementation.
The only problem is, Linux support for libpcap seems to be disorganized
these days.  (I don't have the expertise/time to add the support myself,
so I shouldn't complain too much. :)

I recommended that Nathan not use Netfilter, not because it is too low-level,
but because it is currently only available in experimental kernels, and is
undergoing a lot of changes.  I just provided the information for interest.
When Netfilter and Linux kernel 2.4 stabilizes, I think it will be a very
viable solution for doing this kind of work.
 
I recommended that he look at iptraf and PF_PACKET type sockets, because
that is available in Linux 2.2, and is more stable.

Linux is great, but it can be a big ball of chaos, and it can be difficult
for new developers to get the information they need, so hopefully I
helped more than I confused. :)

I want to nip this thread in the bud , because it is diverging from Ethereal.
For further information about Netfilter, read the Netfilter mailing
list at http://netfilter.kernelnotes.org and the associate web pages. :)
-- 
Craig Rodrigues        
http://www.gis.net/~craigr    
rodrigc@xxxxxxxxxxxx