On Fri, Dec 29, 2000 at 05:09:56PM +1100, Darren Reed wrote:

 > So what you're really saying is that it can't be read with tcpdump but
 > you want to extend the libpcap save file format just for your logging.
 > Sounds like the Microsoft approach - embrace and extend except - that
 > you will give out patches even if they aren't wanted.

Oh, I already have logging working with normal pcap save files.  They
just don't have all the info that I would like to have.  I will work with
the tcpdump.org folks to figure out something that's good for everybody.
See my "traffic replay" example -- there are other reasons, other than
my application, why this info is interesting/useful.

 > I hope this feature is disabled when securelevel > -1.  There were
 > numerous (and loud) complaints on icb about this feature in IPFilter
 > and the implications thereof.  I thought I'd mention this in case it
 > has been forgotten "in transit".

Just like any loadable module, if the securelevel is high enough, you
can't load them.  Unlike with IP Filter (I assume, since the userland
goo for "call" doesn't seem to be there), you can't just call an aribtrary
kernel function, you can only call a method which has been registered
with the Classifier, and the registration happens when the LKM for the
method is loaded (or at boot time, if it's a method that's statically
compiled in to the kernel).

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>