Re: Buffer overwrites with pcap_next_ex

[Guy Harris <guy () alum mit edu>]

On Jan 24, 2009, at 6:36 AM, Andreas Rieke wrote:

> I have seen a strange behavior of pcap_next_ex where a buffer is
> overwritten. When pcap_next_ex has finished, it returns a buffer for  
> the
> packet header and one for the packet data.

No.  pcap_next_ex() returns a pointer to a packet header and a pointer  
to packet data.

These are, in fact, pointers to a structure internal to libpcap and a  
buffer internal to libpcap, respectively - and those buffers can be  
reused, and hence overwritten, by subsequent calls to pcap_next_ex()  
(or pcap_next() or pcap_dispatch() or pcap_loop()).

> When processing the packet
> data, I have often seen strange data. For that reason, I have  
> changed my
> code to copy – for debug purposes - the packet data into a buffer,  
> after
> that process them and in the last step compare to the original data:  
> It
> has changed, although I am sure that my code does not write into that
> buffer!

Do you make any pcap_next_ex() calls (or pcap_next() or  
pcap_dispatch() or pcap_loop() calls) in between copying the data and  
comparing it?  If so, that could cause the symptoms you're seeing, for  
the reason described above.

> Is it recommended to copy the data (which takes
> additional time) before processing them?

Only if you want to continue use the data from one pcap_next_ex() call  
after you make subsequent pcap_next_ex() calls.

> In future, I would like to
> process multiple interfaces using select/pcap_dispatch. Will I have  
> the
> same problems there?

You won't have that problem *between* interfaces, because each pcap_t  
has its own buffer.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.