tcpdump mailing list archives

Re: libpcap timeout weirdness

From: Guy Harris <guy () alum mit edu>
Date: Sun, 24 Mar 2013 14:59:02 -0700


On Mar 24, 2013, at 12:18 PM, Robert Monaghan <bob () gluetools com> wrote:

Basically, I count blocks until I get everything that I need. At that point, I do a breakloop.


Is the total block count available at the time you call pcap_loop()?  If so, just pass that in to pcap_loop() as the 
count.

This seems to eliminate the timeout issue I saw.


The combination of the smaller timeout, and not trying to read more packets than will actually arrive (so that you 
don't try to read packets after the download finishes), is probably what's making the difference here.

Now, however, I am concerned that the timeout is going to have to be adjusted to some value that at is "One Size Fits 
All". Naturally a number that degrades performance for all of my users.


If a low timeout (or the lowest possible timeout, i.e. immediate mode, as described in my previous message, namely "no 
timeout, just return packets immediately") causes a problem, BPF is probably not currently capable of providing what 
you need.

If, however, the performance is OK in immediate mode, try that.  One problem with immediate mode is that it's somewhat 
like a socket, in that each read gives you a single packet, but it's also *not* like a socket, in that there's not a 
lot of buffering for packets in immediate mode.

Arguably, something like Linux's PF_PACKET sockets would be best for people trying to implement protocols atop the 
link-layer, as (either when not in memory-mapped mode, or when in TPACKET_V1 or TPACKET_V2 memory-mapped mode) it has 
no timeouts, but does have a buffer, so that you don't have to *immediately* read the packet or have further packets 
dropped due to being out of buffer space.  (In TPACKET_V3 mode, it appears to work more like, err, umm, BPF, with 
entire buffers full of packets being delivered, and with a timeout to keep it from waiting forever for a buffer to fill 
up; I think that mode was introduce for the benefit of packet capture.)

I tried a timeout of 0, using pcap_set_timeout. But this ever called my callback.


In BPF, a timeout of 0 means "no timeout, just block until the store buffer fills up, even if that takes forever".
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

libpcap timeout weirdness Robert Monaghan (Mar 24)
- Re: libpcap timeout weirdness Robert Monaghan (Mar 24)
  - Re: libpcap timeout weirdness Guy Harris (Mar 24)
    - Re: libpcap timeout weirdness Guy Harris (Mar 24)
    - Re: libpcap timeout weirdness Robert Monaghan (Mar 25)