tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: what about a pcap_flush() function ?

From: Guy Harris <guy () alum mit edu>
Date: Sun, 8 Feb 2004 22:14:59 -0800
On Tue, Feb 03, 2004 at 09:08:17PM +0100, Alberto Ornaghi wrote:

I'm thinking about a function, let's call it pcap_flush(pcap_t *pd),
that will zero the statistics and flush away any unread data from the
pcap file descriptor.


Note that "zero[ing] the statistics" can be done, on systems using BPF
({Free,Net,Open,Dragonfly}BSD, BSD/OS, Mac OS X, AIX) only by keeping
getting the current statstics values, storing them in the "pcap_t", and
subtracing the stored values before returning them - there isn't an
ioctl to zero out the in-kernel statistics.

The same is true on SunOS 5.x - the bufmod STREAMS module has no way to
clear the count of dropped packets - and on SunOS 3.x and 4.x as well. 
It appears to be the case on Irix also.


think about a program that opens the fildesc with high privs and then
drop them and let the user configure some parameter from a GUI. when the
user chose to start to sniff, a relevant amount of time was elapsed
between pcap_open_live and pcap_read. in this situation the user will
get old packets (accumulated in the kernel buffer) and wrong statistics
(high value for dropped packets).


What parameter would it let you configure after the capture starts and
before it starts reading packets?

Ethereal, for example, doesn't open the pcap_t until you've filled in
the parameter and click "OK" to start capturing - and, once that's done,
it starts reading packets shorly afterwards.


do you think it will be useful to have such function?  if so, i can
implement it and propose a diff against the current release.

i can simulate the flush of unread data within a loop, but the stats
cannot be reset.


No, but an application that, for whatever reason, waits for a
significant amount of time before reading from the pcap_t could get the
statistics before it does the first read, and subtract those values from
the counts it gets later - which implements the same thing that libpcap
would end up implementing.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: