tcpdump mailing list archives
Re: error executing ksniff with libpcap 1.0.0
From: Guy Harris <guy () alum mit edu>
Date: Mon, 17 Nov 2008 11:24:33 -0800
On Nov 17, 2008, at 10:27 AM, Giovanni Venturi wrote:
memory-mapped capture support? I guess that this is used in libpcap 1.0.0,right?
It's supported by libpcap 1.0.0, but not *required* by libpcap 1.0.0.
What kernel option do I have to check?
CONFIG_PACKET_MMAP.However, as indicated, it's not required by libpcap 1.0.0; something else is probably happening here.
It's failing pcap_next()
A more correct statement is probably "pcap_next() returns a null pointer"; pcap_next() returning a null pointer is *NOT* necessarily an indication that an error occurred.
To quote the new pcap_next_ex(3PCAP) man page (the old pcap(3) man page said something similar):
pcap_next() returns a pointer to the packet data on success, and returns NULL if an error occured, or if no packets were read from a live capture (if, for example, they were discarded because they didn’t pass the packet filter, or if, on platforms that support a read timeout that starts before any packets arrive, the timeout expires before any packets arrive, or if the file descriptor for the capture device is in non‐blocking mode and no packets were available to be read), or if no more packets are available in a ‘‘savefile.’’ Unfortunately, there is
no way to determine whether an error occured or not.
Note the last sentence.
I.e.:
I printed pcap_geterr().
...there is no guarantee that, if pcap_next() returns NULL, the result of pcap_geterr() is at all meaningful; it will return whatever was last put into the internal error message buffer of the pcap_t.
Prior to libpcap 1.0.0, pcap_open_live() did not affect that internal message buffer.
In libpcap 1.0.0, the operation of opening a device for live capture is split between a "create the pcap_t" operation (pcap_create()), calls to set various options on that pcap_t, and an "activate the pcap_t with all the options that were set" operation (pcap_activate()). pcap_open_live() is a wrapper around those operations, and pcap_activate() can set the internal error message buffer.
I would suggest that you use either pcap_dispatch() or pcap_next_ex(); both of them let you tell the difference between an error and "no packets are available right now".-
This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- error executing ksniff with libpcap 1.0.0 Giovanni Venturi (Nov 16)
- Re: error executing ksniff with libpcap 1.0.0 Guy Harris (Nov 16)
- Re: error executing ksniff with libpcap 1.0.0 Guy Harris (Nov 16)
- Re: error executing ksniff with libpcap 1.0.0 Giovanni Venturi (Nov 17)
- Re: error executing ksniff with libpcap 1.0.0 Guy Harris (Nov 17)
- Re: error executing ksniff with libpcap 1.0.0 Guy Harris (Nov 16)
- Re: error executing ksniff with libpcap 1.0.0 Guy Harris (Nov 16)
- <Possible follow-ups>
- error executing ksniff with libpcap 1.0.0 Giovanni Venturi (Nov 17)
- Re: error executing ksniff with libpcap 1.0.0 Guy Harris (Nov 17)
- Re: error executing ksniff with libpcap 1.0.0 Giovanni Venturi (Nov 17)
- Re: error executing ksniff with libpcap 1.0.0 Guy Harris (Nov 19)
- Re: error executing ksniff with libpcap 1.0.0 Giovanni Venturi (Nov 19)
- Re: error executing ksniff with libpcap 1.0.0 Guy Harris (Nov 17)
- Re: error executing ksniff with libpcap 1.0.0 Giovanni Venturi (Nov 18)
- Re: error executing ksniff with libpcap 1.0.0 Guy Harris (Nov 18)
- Re: error executing ksniff with libpcap 1.0.0 Giovanni Venturi (Nov 18)
- Re: error executing ksniff with libpcap 1.0.0 Guy Harris (Nov 18)