Re: Multi process sniffing and dropped packets

[Guy Harris <guy () alum mit edu>]

On Jan 12, 2006, at 3:11 PM, computational_complex- 
forthespam () yahoo it wrote:

> - every process executes an infinite loop in which
> pcap_next() is called.
> - every process executes a pcap_loop() call.

So does each process execute a pcap_open_live() call?

Or do you do that in the main process and then fork multiple  
subprocesses?

In the former case, each process will probably get its own copy of  
each of the packets received, rather than the packets being  
distributed amongst the processes.

In the latter case, that *might* work, but I don't know whether it's  
guaranteed to work on all platforms.

> Anyway, i would like to know how ps_drop in struct
> pcap_stat is calculated;
> is this the number of packets that the network card
> drops?

No.

> Or does it count pcap library dropped packets?

No - the library doesn't "drop" packets in that sense.

It counts the number of packets dropped by the kernel's packet  
capture mechanism (if the packet capture mechanism even bothers to  
count those drops - some don't, so you might get a 0 value for  
ps_drop even if packets were dropped) because it ran out of buffer  
space.

> If it's in the latter case, why the lib drops
> packets? Is there a buffer full?

Yes.

> Can i enlarge this buffer?

It might be possible, on some OSes, but the way it's done is OS- 
dependent - and you can't do it with BPF once the BPF device has been  
bound to a network adapter, so you can't do it once pcap_open_live()  
has finished.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.