Subject: Re: /dev/tap and tcpdump don't go together very well? [conclusion & diff]
To: Rhialto <>
From: Anders Hjalmarsson <>
List: current-users
Date: 04/13/2007 00:28:03
On Thu, 12 Apr 2007 22:38:42 +0200, Rhialto wrote:

> On Wed 11 Apr 2007 at 23:51:55 +0200, Anders Hjalmarsson wrote:
> > This patch is based on something Manuel Bouyer posted some years ago, but
> > fixed so that two bpf-using programs on the same host can communicate,
> > e.g. simh-vax and mopd.
> Yes, that is nice. I assume though that a bpf reader will get its own
> packets back though (if they pass the filter).

I think you are right, but I don't think that causes any harm.

> I wonder, by the way, why this patch is adding code in ether_output() in
> if_ethersubr.c. I was thinking to add some code (much like this) in
> bpf_write() in bpf.c, near the call to (*ifp->if_output)(). That would
> only inspect packets injected into bpf, not all outgoing packets to all
> interfaces.

It has been quite some time since a made this patch, but here is a link to
Manuels original patch:
My additions are the parts wrapped in #if NBPFILTER > 0

Since his patch almost worked (writes to bpf were seen by the local host.
except when reading from bpf), I looked at that part of the code to find a 
way around the problem, and did not consider that there could be a better