tcpdump mailing list archives

Re: AIX BPF Problems

From: Guy Harris <guy () netapp com>
Date: Wed, 12 Feb 2003 01:18:00 -0800

On Wed, Feb 12, 2003 at 06:01:18PM +1100, Shaun wrote:

Here's where it gets really weird, I hope I can explain the exact symptoms
of the problem clearly.

AIXs tcpdump is based on an older version of libpcap that doesn't do the
magic BIOCSBLEN processing.


Does it also set immediate mode with BIOCIMMEDIATE?  If not, that might
make some difference (it doesn't wake up the application on every
packet), but, as per earlier messages, the timeout doesn't appear to
work, so if they don't set immediate mode they somehow manage to get the
timeout to work.

It simply allows the system to run with it's
existing buffer size (which defaults to 4096). If I modify the new libpcap
to not do the magic BIOCSBLEN processing, we get the same results, i.e no
EFAULTs, all data returned as expected.

As discussed earlier I'd prefer to have as large a kernel buffer as
humanly possible so I tried to experiment with this to see what was
causing it.
      - I found that if I didn't use pcap_findalldevs() at all and
simply opened the device immediately everything worked perfectly (i.e no
EFAULTs). Resulting in a magic buffer size selection of 16384


I assume by "magic buffer size selection" you mean that the process that
starts with 32K and works its way down by cutting the buffer size in
half succeeds at 16K.

      - If I listed all the interfaces first using pcap_findalldevs
(opening and doing the magic buffer selection of 16384 on them), it
doesn't work properly


What buffer size does it choose on the "real" open?

      - If I list all of the interfaces first but don't do the magic
buffer size selection (i.e choose 4096 as the start of the magic buffer
selection code),


I.e., you still do the magic buffer size selection, you just start it at
4096.

it seems to work properly


So if you do the "search for a good buffer size" stuff in the open done
by "pcap_findalldevs()", starting at 32768, it screws things up, but if
you start at 4096, it doesn't?

      - If we do the same as above but start buffer size selection at
8k, doesn't work


...and if you start at 8K, it also doesn't work?

      - If we stop pcap_open_live from working on any interface except
en0, i.e rejecting them before making any attempt to process them, doesn't
work


So if you make "pcap_findalldevs()" not open anything other than "en0",
so "pcap_findalldevs()" opens "en0" and then the program opens "en0", it
still doesn't work with the buffer size selection starting at some value
above 4K?

      - If we open and close the en0 device a number of times (straight
off, no list of devices), it works perfectly with magic buffer size
selection of 16384


...but if you just open "en0" twice, with the buffer size selection
starting at 32K, it works?

So in the previous two cases:

        use "pcap_findalldevs()", opening only "en0", and then opening
        "en0";

        opening "en0" twice;

what is the difference in the set of system calls being made?

      - Disabling pcap_open_live(name, 68, 0, 0, errbuf) call in
add_or_find_if() causes it all to work fine with magic discovered buffer
size 16384


So that's equivalent to not doing "pcap_findalldevs()" at all, when it
comes to calls to "pcap_open_live()" made in the program.

              - Disabling pcap_open_live for any device other than en0
and re-enabling the pcap_open_live() call in add_or_find_if() does NOT
help


That's the same as

              - If we stop pcap_open_live from working on any interface except
        en0, i.e rejecting them before making any attempt to process
        them, doesn't work

right?

      - If I call pcap_open_live(sInterface, 68, 0, 0, acErrBuf) on the
interface before listing devices it works ok


So if you open the interface *three* times - once before calling
"pcap_findalldevs()", once in "pcap_findalldevs()", and once in the
application, with all opens starting the buffer size scan at 32K, it
works?

      - Disabling or enabling timeout processing in pcap_open_live has
no noticable effect
      - Disabling the reconfigure of the driver in bpf_open() had no
effect at all

So.... I can't see much logic in this madness, any ideas?


What's the snapshot length you're using in the "pcap_open_live()" calls
you're doing explicitly?  68?
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

AIX BPF Buffer Size Shaun (Feb 10)
- Re: AIX BPF Buffer Size José María González (Feb 10)
- Re: AIX BPF Buffer Size Guy Harris (Feb 10)
  - Re: AIX BPF Buffer Size Shaun (Feb 10)
    - Re: AIX BPF Buffer Size Guy Harris (Feb 10)
    - AIX BPF Problems Shaun (Feb 11)
    - Re: AIX BPF Problems Guy Harris (Feb 12)
    - Re: AIX BPF Problems Shaun (Feb 13)
    - Re: AIX BPF Problems Guy Harris (Feb 13)
    - Re: AIX BPF Problems Shaun (Feb 13)
    - Re: AIX BPF Buffer Size Shaun (Feb 13)