Re: libPcap -- Dynamic Filters Question...

[Guy Harris <guy () netapp com>]

On Fri, Feb 07, 2003 at 06:31:31AM -1000, Ryan Mooney wrote:
> What about if you did it as a threaded program and spawned new threads
> to match the new sessions.

If the new threads are doing their own "pcap_open_live()" calls, then

        1) you run the risk of running out of BPF devices on some
           platforms;

        2) you *still* aren't guaranteed to see the first packet of the
           session, as that packet might have arrived before that thread
           starts. 

> This would likely require some cleverness
> to get decent performance (thread pre-spawning,

Even if you pre-spawn the thread, it'd have to pre-open the capture
session *and* start sniffing - but you'd have to capture without a
filter until you know what the filter is, in which case setting the
filter will discard already-captured packets.

> A simular alternative would be to hack go into a big select loop on N
> bpf's

Same problem (plus "select()" doesn't work right on BPF devices on many
versions of BSD, although there are workarounds; on platforms that don't
use BPF, select works on the UNIXes, but there's a WinPcap bug that
causes a bogus handle to be returned by "pcap_getevent()" on Windows NT
(NT 4.0, 2K, XP) in current versions of WinPcap - I think it's fixed in
the 3.0 alpha/beta).
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe