tcpdump mailing list archives

libpcap on Mac Os X 10.6 Snow Leopard

From: Marco De Angelis <thorar () yahoo com>
Date: Sun, 31 Jan 2010 01:07:59 -0800 (PST)

Hi.

We have an application that uses libpcap for many Linux versions and for Mac Os X Leopard with an excellent outcome. 
When tested on Snow Leopard (10.6.2), it stopped working. I googled a lot and found out about the BPF issues that you 
mention on many posts like http://www.mail-archive.com/wireshark-bugs () wireshark org/msg16294.html 

I'm not monitoring my own packets, and anyway, giving read and write permissions to group and to everybody didn't help. 
I ruled out also the wireless card problems by attaching directly to the router. Nada.

Since Mac Os X 10.6 ships with libpcap 1.0.0, I tried using the new interface with pcap_create and pcap_activate, which 
also allows buffer customization previously unavailable. After many tests and combinations, it worked with this strange 
trick: reducing the buffer size to 128 bytes, so that only 1 packet could be held in the system's buffer, and thus it 
would be delivered to the application immediately when the next packet arrives. Changing all the other settings 
(timeouts, packet count in the pcap_dispatch, etc) do not affect the results.

Of course the last packet never gets delivered. If a give the buffer enough space for 10 packets, I can see that the 
last 10 packets of what I'm monitoring are not delivered, therefore I suppose they lie in the buffer and do not get 
delivered by pcap_dispatch. I tried also using pcap_loop, without any change. Here's the creation of the session.


// Using PCAP 1.0.0 features on Mac OS X Snow Leopard
#if defined(PCAP_HAS_CREATE)
if ((pcapSession = pcap_create(iface->getName().c_str(), errbuf)) == NULL)
{
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<errbuf<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, errbuf);
}
if (pcap_set_snaplen(pcapSession, snapLen) != 0) 
{
std::string error = pcap_geterr(pcapSession);
pcap_close(pcapSession);
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<error<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, error);
}
if (pcap_set_promisc(pcapSession, promisc ? 1 : 0) != 0) 
{
std::string error = pcap_geterr(pcapSession);
pcap_close(pcapSession);
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<error<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, error);
}
if (pcap_set_timeout(pcapSession, 1000) != 0) 
{
std::string error = pcap_geterr(pcapSession);
pcap_close(pcapSession);
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<error<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, error);
}
if (pcap_set_rfmon(pcapSession, 0) != 0) 
{
std::string error = pcap_geterr(pcapSession);
pcap_close(pcapSession);
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<error<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, error);
}
// FIXME: This is where the workaround takes place! Increase the buffer and packets
//        are proportionally not delivered!
if (pcap_set_buffer_size(pcapSession, 128) != 0) 
{
std::string error = pcap_geterr(pcapSession);
pcap_close(pcapSession);
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<error<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, error);
}
if (pcap_activate(pcapSession) != 0)
{
std::string error = pcap_geterr(pcapSession);
pcap_close(pcapSession);
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<error<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, error);
}
#else
if ((pcapSession = pcap_open_live(iface->getName().c_str(), snapLen, promisc ? 1 : 0, 1000,errbuf)) == NULL)
{
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<errbuf<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, errbuf);
}
#endif
The call to dispatch is very simple, this is a snippet:

while(true)
{
int32_t ret = pcap_dispatch(m_impl->pcapSession, 100, 
detail::PacketCaptureSession_pcap_handler, (u_char*)this);

if (ret==-1)
{
std::string error = pcap_geterr(m_impl->pcapSession);
LOG_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<error<<">");
RAISE_EXCEPTION_WITH_MSG(PacketCaptureSessionException, error);
}
...


Any idea that could point me in resolving the issue? Have you ever seen this behaviour before? The application works 
fine with all other O.S. which run older pcap versions. I recompiled tcpdump 4.0.0 on my machine, and it works! 
Therefore I shall be able to capture correctly. 

Best regards,
Marco
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Jan 31)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Jan 31)
  - Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 01)
    - Re: libpcap on Mac Os X 10.6 Snow Leopard Carter Bullard (Feb 01)
    - Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 01)
- Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Jan 31)
- <Possible follow-ups>
- Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 01)
  - Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 01)
    - Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 03)
    - Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 03)
    - Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 03)

(Thread continues...)