Re: Packet arrival order

[Eloy Paris <peloy () chapus net>]

Hello,

On Tue, Apr 03, 2007 at 02:49:14PM +0100, roy hills wrote:

> > I've also had problems with Solaris. In my opinion it's not the
> > best platform for capturing packets in real-time. In Network Expect
> > (http://www.netexpect.org) I am currently using the following code,
> > which I borrowed from another open source project (can't remember
> > which):
> >
> > [snip]
>
> Great - that works.  Thanks.

Excellent; glad to hear.

> > If I remember correctly this makes things "pseudo work" since now
> > select() will return immediately but regardless of whether there's
> > data ready to be read. But at least this is better than select() not
> > returning at all since your code can check for select()'s return
> > value and read data if there's something to read or go back to
> > select() if there's nothing.
>
> I'll need to check on how select() is behaving, but it is working, and
> I'm only calling pcap_dispatch() if select() indicates that the pcap
> fd is readable.

Yeah, that's what I do too. However, if I remember correctly, I found
out that select() was not blocking (as it should) when there was no
data available, so I have a bit of extra CPU work. To test whether this
is happening to you as well you can just put a printf() right after
select():

retval = select(...);
printf("select() returned %d\n", retval);

If you have the same "problem" as I do you should see a stream of
"select() returned 0", if I remember correctly.

> > As I said, Solaris behaves really weird when using select() on a
> > libpcap packet capture descriptor. I can't explain it.
>
> I think there is a need for documentation on libpcap
> implementation-specific differences.

Agreed. I've found that libpcap works great and out of the box for
buffered captures, but I've had to do platform-dependant tweaking for
real-time captures.

> I found that Linux (packet socket) just worked,

Yes, Linux works great and out of the box for both buffered and
unbuffered (real time) captures. No tweaking is necessary, as far as I
know.

> but I then had to alter the code for BSD (BPF) to prevent buffering

You mean setting BIOCIMMEDIATE on the BSDs, right?

> and work around select() issue,

Would this be the issue of select() returning "there's data available
to be read" only once? In other words, new data arrives and select()
returns "there's data available". However, if more data arrives before
you've read the data that was previously available, next time you call
select() it won't tell you that there's data available.

Or is it the issue documented in pcap's man page?

> and I'm now having similar problems with Solaris (DLPI).
> I bet loads of people must go through this sort of thing.

Yes, all of us using libpcap as a way to read packets in a portable way
and in real time are facing the same issues.

Cheers,

Eloy.-
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.