Re: Linux capture buffering

[Guy Harris <guy () alum mit edu>]

On May 10, 2009, at 7:52 AM, Asier Martínez wrote:

> I'm a bit confused in which is the behavior of Libpcap under Linux
> when it is used to capture packets.
> If I'm not wrong, Libpcap under Linux ignores timeout argument to_ms,
> so, Libpcap is returning per captured packet?,

Libpcap, prior to 1.0, does no buffering on Linux, as there is, as far  
as I know, no way to get a PF_PACKET socket not to wake up a reader  
until either

	1) a certain minimum number of packets or amount of packet data is  
available

or

        2) a timeout has expired

and deliver multiple packets with a single system call (as happens  
with, for example, BPF, Solaris's DLPI with the bufmod STREAMS module,  
and WinPcap's driver).

Libpcap 1.0 can use the memory-mapped capture mechanism; if so, it's  
not explicitly doing buffering, but when it gets woken up, it will  
process packets until it runs out of packets in the ring buffer, so it  
*could* process more than one packet per wakeup.  However, there is,  
as far as I know, no way to *explicitly* request that a wakeup be  
delivered only after either a certain minimum number of packets or  
amount of packet data is available or a timeout has expired, which is  
why I say it's not *explicitly* doing buffering.  I *suspect* that,  
with a high rate of packet arrival, you will get a significant amount  
of packet data per wakeup, but I've never measured it.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.