On Thu, Dec 07, 2000 at 09:40:20AM -0600, McNutt, Justin M. wrote:
> > However I'm not confident that its performances are adequate.
> > What ntop does (as far as I know) is:
> > - capture a packet
> > - transfer it at user level (that means overhead)
> > - calculate statistics
> > - discard the packet
> >
> > What the WinPcap library intends to do is:
> > - *see* a packet
> > - calculate statistics
> > that means incredibly lower overhead.
> >
> > The problem is that:
> > - WinPcap is available for Win32 only
> > - WinPcap does not provide advanced monitor features (these
> > are still under
> > development), so it cannot be deployed "as is" to make you own ntop.
>
> How does libpcap 0.5 fit into this?
The difference is actually not between libpcap and the user-mode WinPcap
library, it's really a difference between the underlying kernel-mode
packet capture mechanisms.
Most UNIX-flavored OSes don't, as far as I know, provide any way to have
that capture mechanism not copy any packets up to userland, and to just
keep statistics on the packets that were captured. (There's no reason
why such a mechanism couldn't exist, although somebody would have to
write it, and it'd have to be an add-on you'd install on your machine,
unless you got the supplier of the OS in question to adopt it.)
Windows 9x and NT don't provide a capture mechanism, *period* (except
for the one that, on Windows NT Server and the Win2K equivalents,
Microsoft Network Monitor uses, the behavior of which isn't documented),
so the folks at the Politecnico di Torino had to implement their own,
atop the NDIS network infrastructure. They put in a
statistics-gathering mode of that sort.
Now, from the WinPcap documentation, it looks as if the statistics mode
in WinPcap doesn't currently let you get statistics on the types of
traffic going over the network; it provides periodic samples of the
number of packets and the number of bytes that passed the capture
filter, but you can have only one capture filter active at a time, so
you can't get statistics on how many port-2049 (NFS) packets and bytes
were seen, and how many port-80 (HTTP) packets and bytes were seen, and
so on.
I assume the ability to do that might be part of the "advanced monitor
features" to which Fulvio is referring.