The implementation of Intrusion Detection & Prevention System depends on some software saddlebags to capture and filter packets.This paper makes a comparison firstly on the merits and the shortcomings of some typical packet filtering models, such as NIT, CSPF (CMU/Stanford Packet Filter) and BPF (Berkeley Packet Filter) etc. Among them, BPF model is discussed in detail. Secondly, we implement a BPF model called mybpf on Linux as a kernel module. It can collect packets within the Netfilter frame, provide the applications with an interface in char device file manner and be attached to the NF_IP_PRE_ROUTING hook defined by Netfilter frame for IPv4 as a hook function. Finally, we evaluate the performance between mybpf and other BPF on SOCK_PACKET socket.
|