tcpdump mailing list archives
Re: live capture questions
From: Guy Harris <guy () alum mit edu>
Date: Tue, 18 Nov 2003 11:52:28 -0800
On Nov 18, 2003, at 11:25 AM, Chris sun wrote:
I used pcap_dispatch() the manpage says when readding live capture, only 1bufferful of packets is read at a time, I was wondering what the "1 bufferful packets means"?
It means that, on some OSes, the packet capture mechanism buffers packets, with a timeout, so that a single read from the packet capture mechanism might supply more than one packet (which is more efficient than supplying one packet per read). The timeout ensures that the read doesn't block forever waiting for the buffer to fill up.
"1 bufferful" means "the number of packets supplied by a read".
suppose I set the cnt to be large enough to holdall pakcets sent from node, will my callback be called untill after it readthe cnt number of packets ?
If you're using "pcap_dispatch()", there is *NO* guarantee that a minimum number of packets will be supplied by a single call to "pcap_dispatch()". There is, in fact, no guarantee that *any* packets will be supplied, as, on some platforms that have buffering, the timeout starts when the read is done, and expires even if no packets have arrived (on other platforms, such as Solaris, the timeout starts when the first packet arrives).
If you are going to use "pcap_dispatch()", you *MUST* keep calling it until you have all the packets you want. Note, however, that "pcap_loop()" does that for you, so you should probably use it instead.
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- live capture questions Chris sun (Nov 18)
- Re: live capture questions Guy Harris (Nov 18)
- Re: live capture questions Chris sun (Nov 18)
- Re: live capture questions Guy Harris (Nov 18)
- Re: live capture questions Chris sun (Nov 18)
- Re: live capture questions Guy Harris (Nov 18)