tcpdump mailing list archives

Re: Pcap delivers packets every 200ms

From: Guy Harris via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Thu, 2 Feb 2023 18:30:17 -0800

--- Begin Message --- From: Guy Harris <gharris () sonic net>
Date: Thu, 2 Feb 2023 18:30:17 -0800

On Feb 2, 2023, at 7:42 AM, Paschal Chukwuebuk Amusuo via tcpdump-workers <tcpdump-workers () lists tcpdump org> wrote:

Please, is there any way to force pcap to deliver packets once it receives the packet?
Currently, pcap delivers packets to my application at intervals and it batches the packets before delivering them. 
There are substantial time differences between when the packet is received by pcap and when it is finally delivered 
by the application.


pcap does not itself buffer packets.  Packet capture mechanisms, such as PF_PACKET sockets in memory-mapped mode on 
Linux, BPF devices on macOS/*BSD/AIX/Solaris 11, and NPF for Windows, do the buffering.

This is intentional; it's done to reduce the overhead of per-packet capture by:

        doing only one wakeup per batch of packets rather than per packet;

        if the mechanism copies from the kernel to user space, doing one copy per batch of packets rather than per 
packet;

        packing multiple packets into a single chunk of the buffer.

The buffering has a timeout, so that packets don't have to wait for a buffer to fill up before being delivered to 
userland code such as libpcap.  Libpcap allows the application to choose the timeout.

See the "packet buffer timeout" section of the main pcap man page:

        https://www.tcpdump.org/manpages/pcap.3pcap.html

In the screenshot I attached, 6 packets were received within 400ms but all delivered at the same time.


That's probably because your application has requested a 400ms timeout in a call to pcap_open_live() or 
pcap_set_timeout() by passing 400 as the timeout value (which is in milliseconds).  You can either 1) choose a shorter 
timeout or 2) use immediate mode, as per Denis's message.

--- End Message ---

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

Pcap delivers packets every 200ms Paschal Chukwuebuk Amusuo via tcpdump-workers (Feb 02)
- Re: Pcap delivers packets every 200ms Denis Ovsienko via tcpdump-workers (Feb 02)
- Re: Pcap delivers packets every 200ms Guy Harris via tcpdump-workers (Feb 02)