tcpdump mailing list archives
Re: AIX BPF Problems
From: Shaun <delius () progsoc uts edu au>
Date: Thu, 13 Feb 2003 21:08:35 +1100 (EST)
AIXs tcpdump is based on an older version of libpcap that doesn't do the magic BIOCSBLEN processing.Does it also set immediate mode with BIOCIMMEDIATE?
Yes, in fact it does so before EVERY read.
If not, that might make some difference (it doesn't wake up the application on every packet), but, as per earlier messages, the timeout doesn't appear to work, so if they don't set immediate mode they somehow manage to get the timeout to work.
From what I can tell the timeout basically doesn't work at all (though
admitedly I haven't really tried since I don't need that functionality)
- I found that if I didn't use pcap_findalldevs() at all and simply opened the device immediately everything worked perfectly (i.e no EFAULTs). Resulting in a magic buffer size selection of 16384I assume by "magic buffer size selection" you mean that the process that starts with 32K and works its way down by cutting the buffer size in half succeeds at 16K.
Yes, exactly.
- If I listed all the interfaces first using pcap_findalldevs (opening and doing the magic buffer selection of 16384 on them), it doesn't work properlyWhat buffer size does it choose on the "real" open?
16k
- If I list all of the interfaces first but don't do the magic buffer size selection (i.e choose 4096 as the start of the magic buffer selection code),I.e., you still do the magic buffer size selection, you just start it at 4096.
Yep
So if you do the "search for a good buffer size" stuff in the open done by "pcap_findalldevs()", starting at 32768, it screws things up, but if you start at 4096, it doesn't?
Yeah, that's the symptom. It's very strange.
- If we do the same as above but start buffer size selection at 8k, doesn't work...and if you start at 8K, it also doesn't work?
Yep
- If we stop pcap_open_live from working on any interface except en0, i.e rejecting them before making any attempt to process them, doesn't workSo if you make "pcap_findalldevs()" not open anything other than "en0", so "pcap_findalldevs()" opens "en0" and then the program opens "en0", it still doesn't work with the buffer size selection starting at some value above 4K?
Exactly. Where is gets even weirder is that further experimentation showed that: - Modifying bpf_load() to always do the sysconfig stuff even if the loaded flag was already set caused the problem to go away - Modifying the bpf_load() code to not query the ODM via getminors() caused the problem to go away - Modifying pcap to call bpf_load() before doing anything (i.e before iterating over the devices etc) caused the problem to go away
- If we open and close the en0 device a number of times (straight off, no list of devices), it works perfectly with magic buffer size selection of 16384...but if you just open "en0" twice, with the buffer size selection starting at 32K, it works?
Exactly.
So in the previous two cases: use "pcap_findalldevs()", opening only "en0", and then opening "en0"; opening "en0" twice; what is the difference in the set of system calls being made?
None that is obvious, the only difference appears to be that one involves the bpf_load being called during the iteration of the devices, the other does not. Though closing the UDP socket before calling pcap_open_live and reopening it on the other side of the pcap_open doesn't fix the problem.
- Disabling pcap_open_live(name, 68, 0, 0, errbuf) call in add_or_find_if() causes it all to work fine with magic discovered buffer size 16384So that's equivalent to not doing "pcap_findalldevs()" at all, when it comes to calls to "pcap_open_live()" made in the program.
Yeah.
That's the same as - If we stop pcap_open_live from working on any interface except en0, i.e rejecting them before making any attempt to process them, doesn't work right?
Yeah, sorry, repeated myself on that one
- If I call pcap_open_live(sInterface, 68, 0, 0, acErrBuf) on the interface before listing devices it works okSo if you open the interface *three* times - once before calling "pcap_findalldevs()", once in "pcap_findalldevs()", and once in the application, with all opens starting the buffer size scan at 32K, it works?
That would certainly appear to be the case.
- Disabling or enabling timeout processing in pcap_open_live has no noticable effect - Disabling the reconfigure of the driver in bpf_open() had no effect at all So.... I can't see much logic in this madness, any ideas?What's the snapshot length you're using in the "pcap_open_live()" calls you're doing explicitly? 68?
Yeah, 68, though from my cursory search I didn't see that value getting passed to the kernel? Thanks, Shaun - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- AIX BPF Buffer Size Shaun (Feb 10)
- Re: AIX BPF Buffer Size José María González (Feb 10)
- Re: AIX BPF Buffer Size Guy Harris (Feb 10)
- Re: AIX BPF Buffer Size Shaun (Feb 10)
- Re: AIX BPF Buffer Size Guy Harris (Feb 10)
- AIX BPF Problems Shaun (Feb 11)
- Re: AIX BPF Problems Guy Harris (Feb 12)
- Re: AIX BPF Problems Shaun (Feb 13)
- Re: AIX BPF Problems Guy Harris (Feb 13)
- Re: AIX BPF Problems Shaun (Feb 13)
- Re: AIX BPF Buffer Size Shaun (Feb 10)
- Re: AIX BPF Buffer Size Shaun (Feb 13)