Re: writing to buffers returned by pcap

[Guy Harris <guy () netapp com>]

On Fri, Dec 13, 2002 at 01:07:05AM -0500, Michael Ang wrote:
> Is it kosher to write to the buffer returned by pcap to the callback 
> function?

I'm not sure I'd rely on it being OK.

For example, some OS might supply a capture mechanism in which a buffer
in the kernel into which captured packets are written can be mmapped
from userland, and it might be that it can only be mapped read-only; if
libpcap were to use such a mechanism and not copy packets from that
buffer (the whole point of a memory-mapped capture buffer being to
eliminate copies), the program might crash if it attempted to write to
the buffer.

Such a mechanism already exists in the 2.4[.x] Linux kernel, and libpcap
may support that at some point (I need to find some time to look at
merging in Phil Wood's code to do that); people have talked about
implement it for at least some BSDs as well.

Phil's code uses an environment variable to indicate whether using the
mmap mechanism is OK; as I remember, this is because some applications
might depend on opening a capture device with "pcap_open_live()" in a
process and then forking and using the pcap_t from that open in a child
process, and that might not work if the buffer is mmapped.  At some
point I may add a "pcap_open_live_ex()" call that lets the application
specify whether it needs something "fork-safe" or not (as well as
specifying whether to open for capturing packets or for capturing and
sending packets, and possibly other options).  The new API could allow
an application to request that memory-mapped capturing not be done, and
the environment variable is required to allow memory-mapped capturing to
be done, so one could handle applications that can't work with a
read-only memory-mapped buffer that way.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe