tcpdump mailing list archives
Re: libpcap on Mac Os X 10.6 Snow Leopard
From: Guy Harris <guy () alum mit edu>
Date: Wed, 10 Feb 2010 00:47:33 -0800
On Feb 9, 2010, at 2:15 AM, Marco De Angelis wrote:
I made an interesting test. By collecting pcap_stats() after every call to pcap_dispatch and printing the pcap_stat values out, I could verify that the packets are received. E.g. if I filter for ICMP packets, by launching "ping" commands I can see "ps_recv" increase rapidly. Now, I don't know what "received" means (in userland? in kernel buffer?), but maybe you do :)
I know it depends on the platform. :-)
In BPF-based systems such as *BSD and OS X, it count packets that are seen by the BPF mechanism, regardless of whether
they pass the capture filter or not, so it can count packets that aren't even put into the *kernel* buffer. If you
have no capture filter, so that all packets "pass the filter", it counts packets put into the kernel buffer, regardless
of whether they've been read into userland.
So it sounds as if, for some reason, the timer isn't expiring and causing packets to be delivered.
Your code snippet shows pcap_dispatch() being called at the beginning of a "loop forever" loop, so I presume you're not
doing a select() to wait for packets to arrive (that has a problem in older versions of *BSD and still has a problem in
OS X).
Could you - and Carter - put, into your programs, the following includes (if they're not already there):
#include <string.h>
#include <errno.h>
#include <sys/ioctl.h>
and, before the include of pcap.h, add
#define PCAP_DONT_INCLUDE_PCAP_BPF_H
and then, after the include of pcap.h, add
#include <net/bpf.h>
and then, in the routine/method that calls pcap_open_live() or pcap_activate(), add
char errbuf[PCAP_ERRBUF_SIZE];
struct BPF_TIMEVAL t;
and, after the pcap_open_live() or pcap_activate() call, do
if (ioctl(pcap_fileno(pd), BIOCGRTIMEOUT, &t) == -1) {
fprintf(stderr, "bpftest: BIOCGRTIMEOUT failed: %s\n",
strerror(errno));
return 2;
}
printf("BIOCGRTIMEOUT = %#08lx, t.tv_sec = %d, t.tv_usec = %d\n",
(unsigned long)BIOCGRTIMEOUT, t.tv_sec, t.tv_usec);
where:
1) "pd" is the return value from pcap_create() or pcap_open_live() (pcapSession, in Marco's code snippet; pd,
in Carter's);
2) the printf() call can be replaced by a C++ equivalent, if the program is in C++, and if the program isn't
something that runs from the command line, the code can be modified to arrange that the output be somehow visible.
Then run the program and reply with the output it produces.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Re: libpcap on Mac Os X 10.6 Snow Leopard, (continued)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Jan 31)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 01)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 01)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 03)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 03)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 03)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 09)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Carter Bullard (Feb 09)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 09)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 10)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 10)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 10)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 11)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 12)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 12)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 13)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 19)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 19)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 01)