Re: Tracking network traffic
Re: Tracking network traffic
- Subject: Re: Tracking network traffic
- From: Ryan McGann <email@hidden>
- Date: Wed, 04 Jun 2008 15:49:25 -0700
On Jun 3, 2008, at 1:13 PM, Peter Sichel wrote:
I read a similar warning recently about using Sysctl to access
kernel data structures such as the TCP PCB list. Is this also
considered private? Notice sysctl() is a common UNIX paradigm found
in Stevens "UNIX Network Programming".
If Sysctl() access to kernel data structures is also considered
private, what is the supported API to retrieve protocol and
connection statistics? [netstat?]
I'd appreciate any clarification around this.
This is a tougher one to call as you pointed out that sysctl(3) is a
public API. They are parts of the sysctl variable subtree that are
not really for normal use.
Speaking for the networking sysctl sub-tree -- net.x.y -- we have
kept the data structures like the TCP PCB list backward compatible
to I think Mac OS X 10.3 Jaguar. This is done copying fields of the
actual kernel data structures into compatible version of the data
structures for userland consumption.
This copying is not very efficient and tends to bloat the OS. That's
why from time to time Apple obsolete some older API in new version
of the OS.
There is a slightly different take on this...
The in-kernel tcpcb is private and an internal implementation detail.
Some of the information in a tcpcb can be useful for third parties. To
provide third parties access to this information, we export a data
structure that will never change. For backwards compatibility, we
picked the old tcpcb. This is not the same (private) data structure
used in the kernel.
There is a small performance penalty copying this data out, but that
penalty is far outweighed by the benefit of having the freedom to
change the internal structure without breaking third parties. The
other downside is that any new information added in the tcpcb will be
unavailable to applications.
One thing that I have requested in the past, but not been successful
lobbying for, is KPI access to the PCB list in the kernel. We _have_
to use the sysctl API sometimes because maintaining our own PCB list
by monitoring KPI events is not practical, but some of the data in the
pcb is quite useful. If there were a way to access the PCB from the
kernel and do our own "translation" to private data structures, that
would be much more useful for us anyway, and probably yield better
performance for our users.
Ryan
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden