Re: Is libpcap pcap_set_buffer_size() == winpcap

[Chris Morgan <chmorgan () gmail com>]

On Thu, Sep 3, 2009 at 1:04 PM, Guy Harris<guy () alum mit edu> wrote:
> On Sep 3, 2009, at 9:13 AM, Chris Morgan wrote:
>
> > A user of Sharppcap is asking if we support pcap_setbuff(). Apparently
> > this is a winpcap specific option.
>
> Yes.
>
> The problem is that not all platforms atop which libpcap runs can support
> setting the buffer size after you've opened a network interface for
> capturing - BPF won't let you change the buffer size on a /dev/bpf* device
> once you've bound it to an interface.
>
> The WinPcap people added pcap_setbuff(), but the code whose buffer size it
> changes is their code, so they could make it work however they wanted; the
> capture code libpcap uses is part of the UN*X systems on which it runs.
>
> > I was wondering if pcap_set_buffer_size() was the same as pcap_setbuff().
>
> "The same" in what sense?
>
> They are used differently.  Libpcap 1.x, in order to allow more options to
> be specified when a network interface is opened for capturing, split
> pcap_open_live() into pcap_create(), which creates a "non-activated" pcap_t,
> on which options can be set but upon which capturing cannot be done, and
> pcap_activate(), which "activates" the pcap_t so that you can capture on it.
>
> One option that can be set between creation and activation is the buffer
> size; that even works on systems that use BPF for capturing, as the
> /dev/bpf* device isn't opened, much less bound to an interface, until the
> pcap_t is activated.
>
> So, to set the buffer size when you open an interface, you do
>
>        pd = pcap_create(...);
>        if (pd == NULL)
>                fail;
>
>                ...
>
>        status = pcap_set_buffer_size(pd, buffer_size);
>        if (status != 0)
>                fail;
>
>                ...
>
>        status = pcap_activate(pd);
>        if (status != 0)
>                fail;
>
> pcap_setbuff() takes an opened pcap_t as an argument, so it can only be
> called *after* the interface has been opened, so, to set the buffer size on
> Windows after you open an interface, you do
>
>        pd = pcap_open_live(...);
>        if (pd == NULL)
>                fail;
>
>        if (pcap_setbuff(pd, buffer_size) == -1)
>                fail;
>
> or, in WinPcap 4.1 (at least as of 4.1b5 - I don't know which version first
> picked up pcap_create() and pcap_activate()):
>
>        pd = pcap_create(...);
>        if (pd == NULL)
>                fail;
>
>                ...
>
>        status = pcap_activate(pd);
>        if (status == 0)
>                fail;
>
>        if (pcap_setbuff(pd, buffer_size) == -1)
>                fail;
>
> > If so, are there any plans to unify the api for increased cross platform
> > code
> > portability?
>
> WinPcap 4.1 (again, at least as of 4.1b5) has pcap_set_buffer_size(), so you
> can do
>
>        pd = pcap_create(...);
>        if (pd == NULL)
>                fail;
>
>                ...
>
>        status = pcap_set_buffer_size(pd, buffer_size);
>        if (status != 0)
>                fail;
>
>                ...
>
>        status = pcap_activate(pd);
>        if (status != 0)
>                fail;
>
> on Windows with WinPcap 4.1 and on UN*Xes if you have libpcap 1.x.
>
> libpcap will not pick up pcap_setbuff() as it cannot be implemented on all
> platforms (no *BSD, AIX, or Mac OS X) and as it has pcap_set_buffer_size().
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.

Ahh.

Thank you again for this detailed information.

I'm asking the user if pcap_set_buffer_size() will work for them. If
it does we can implement that interface and we'll be able to have the
same api that works the same across windows, mac, linux platforms,
keeping things simple for everyone.

Chris
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.