Re: libpcap & poll()

["Aaron Turner" <synfinatic () gmail com>]

On Thu, Nov 13, 2008 at 9:38 PM, Ben Greear <greearb () candelatech com> wrote:
> Aaron Turner wrote:
> > On Thu, Nov 13, 2008 at 8:15 PM, Ben Greear <greearb () candelatech com>
> > wrote:
> >
> > > I guess you have some way of knowing you are reading a packet you just
> > > wrote
> > > so that you don't do this in a loop?
> >
> > Yep.  Basically it's a software bridge (two interfaces, copying all
> > packets from one interface to the other) I track the source MAC
> > address so I know which direction a packet should go.
>
> I pretty much do the same, but I'm overly paranoid and actually store the
> entire packet
> in a queue and compare against those to stop retransmits on Solaris.  (You
> typically
> immediately read what you just wrote, so the queue comparison usually just
> pops off
> the top packet).   On Windows, you can use winpcap and it has the ability to
> not receive what it sends.

Copying the entire packet has gotta be expensive since you'll be
having to memcpy() each packet.  I assume you're not malloc()/free()
each time too.  I basically use a learning bridge solution where I
keep each MAC address in a red-black tree and store which interface I
first saw it as the source.  Keeps things efficient and should scale
to 1000's of hosts.

> On Linux, as mentioned, I just use raw packet sockets.
> > > I do know that if you use a PF_PACKET socket, if you write to it you do
> > > not
> > > read that packet back on the PF socket.  I'm not sure about using pcap to
> > > read/write on Linux,
> > > however.
> >
> > Interesting... Right now I'm using different handles for read & write
> > so I see packets I send.  Obviously  not ideal, but if I could use the
> > same handle for read & write that would help out a lot.
>
> Well, in a bridge you have to bind to two interfaces, so you'll read from
> one and
> write to the other.  But, you should be able to do this with only two pcap
> sockets
> total.

Yeah, I should do that... My code predates libpcap being able to send
packets and so I have my own abstraction API built on top of
PF_PACKET, libpcap, winpcap, libdnet and libnet.

> If you get anything working on Windows, I'm interested to know your
> throughput.  I
> can't get above about 10Mbps full duplex across my winpcap bridge...

My code is ported to windows/cygwin.  Unfortunately, my only windows
box is via a Parallels VM on OSX so performance just sucks in general.
 If you feel sufficiently motivated feel free to give it a spin:

http://tcpreplay.synfin.net/trac/wiki

Thanks for the all comments... definitely has been useful.

-- 
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.  -- Benjamin Franklin
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.