tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

pcaplib: pcap_stats() ps_recv value

From: "Richard rh310" <rh310 () hotmail com>
Date: Mon, 21 Jul 2003 20:16:56 +0000
SuSE Linux 8.2, Intel P4 3.xx GHz, 512MB RAM, "stock" pcaplib on SuSE distribution, 10MB 802.3 at about 2% utiliization. GNU gcc 3.3.
I'm trying to use pcap_stats() to track the number of packet receives and drops, but the number received isn't what I expect and so I'm not sure I trust the count of drops. Sample code: 

#include <sys/types.h>
#include <stdio.h>
#include <pcap.h>

void phandler( u_char *, const struct pcap_pkthdr *, const u_char * ) ;

int main(void)
{
   int i ;
   pcap_t * caph ;
   char dev[] = "eth0" ;
   struct pcap_stat ps ;
   char ebuf[PCAP_ERRBUF_SIZE] ;

  caph = pcap_open_live( dev, BUFSIZ, 1, 0, ebuf ) ;

  i = 0 ;
  while (1)
  {
       pcap_loop( caph, -1, phandler, NULL ) ;

       /* get stats every 100 packets */
       if ( i == 100 )
       {
            pcap_stats( caph, &ps ) ;
            printf( "Recv: %d\tDropped: %d\", ps.ps_recv, ps.ps_drop ) ;
            i = 0 ;
            continue ;
       }
       i++ ;
   }

   pcap_close( caph ) ;
   return 0 ;
}
void phandler( u_char * args, const struct pcap_pkthdr * phdr, const u_char * pkt ) 
{
    /* nop for now */
    return 0 ;
}
Now, sometimes this program just sits there without generating any output at all (blocked on recv_from), and other times it outputs: 

Recv: 101     Drops: 0
Recv: 101     Drops: 0
Recv: 101     Drops: 0
Recv: 101     Drops: 0
Recv: 101     Drops: 0
Recv: 101     Drops: 0
...

tcpdump summary output from about 2 seconds of running tcpdump:

12012 packets received by filter
3303 packets dropped by kernel
...so there's data on the network, and there are dropped packets--and pcap_stats doesn't seem to be telling me anything much about either. About 98% of the traffic is unicast to the machine all this is running on, so even if someone the interface isn't going promisc there still should be more than I'm seeing in the output.
Anyway, I'm scratching my head over both the tendency to block on recv_from, and to apparently mis-report the count of packets received and dropped. 

Richard

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail 

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: