Re: capturing packets

["Gianluca Varenni" <gianluca.varenni () cacetech com>]

--------------------------------------------------
From: "Madhusudan KR" <madhusudan.kr () firstmedia in>
Sent: Tuesday, April 27, 2010 7:29 AM
To: <tcpdump-workers () lists tcpdump org>
Subject: [tcpdump-workers] capturing packets

> Hi,
>
> I have a system which has two ethernet interfaces, namely eth0 and eth1.
> I need to capture the packets from both the interfaces.
>
> I am planning to spawn two threads, one each for eth0 and eth1.
> In these threads I shall be using the following two pcap calls.
>
> pcap_open_live
> pcap_next_ex
>
> I shall run "pcap_next_ex" in a while loop, so that it keeps on capturing
> the packets.
>
> I have the following questions.
>
> 1. Am I in the right direction? If not, please guide me the right approach
> for this problem

You are in the right direction.


> 2. I read from the man page for pcap, that "pcap_next_ex" is a blocking
> call.
>    Does this mean that, if one thread is busy with "pcap_next_ex", then 
> the
> other thread
>    have to wait for it???

No, it means that pcap_next_ex will not return until there is a packet on 
that specific interface you are capturing from. Two pcap_t instances 
(obtained with pcap_open_live) will not interfere with each other.

The only caveat that you need to be aware of when using multiple threads is 
pcap_compile, if you are planning to use BPF filters. pcap_compile is not 
thread safe, so you need to protect the calls to this function with a 
synchronization primitive like a mutex.

Have a nice day
GV



>    In this case, will I not be missing the packets...
>
>
> Regards,
> Madhusudan
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe. 

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.