Re: live capture questions

[Guy Harris <guy () alum mit edu>]

On Nov 18, 2003, at 11:25 AM, Chris sun wrote:

> I used pcap_dispatch() the manpage says when readding live capture, 
> only 1
> bufferful of packets is read at a time, I was wondering what the "1
> bufferful packets means"?

It means that, on some OSes, the packet capture mechanism buffers 
packets, with a timeout, so that a single read from the packet capture 
mechanism might supply more than one packet (which is more efficient 
than supplying one packet per read).  The timeout ensures that the read 
doesn't block forever waiting for the buffer to fill up.

"1 bufferful" means "the number of packets supplied by a read".

>  suppose I set the cnt  to be large enough to hold
> all pakcets sent from node, will my callback be called untill after it 
> read
> the cnt number of packets ?

If you're using "pcap_dispatch()", there is *NO* guarantee that a 
minimum number of packets will be supplied by a single call to 
"pcap_dispatch()".  There is, in fact, no guarantee that *any* packets 
will be supplied, as, on some platforms that have buffering, the 
timeout starts when the read is done, and expires even if no packets 
have arrived (on other platforms, such as Solaris, the timeout starts 
when the first packet arrives).

If you are going to use "pcap_dispatch()", you *MUST* keep calling it 
until you have all the packets you want.  Note, however, that 
"pcap_loop()" does that for you, so you should probably use it instead.

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe