Re: Is libpcap pcap_set_buffer_size() == winpcap pcap_setbuff() ?

[Guy Harris <guy () alum mit edu>]

On Sep 3, 2009, at 9:13 AM, Chris Morgan wrote:

> A user of Sharppcap is asking if we support pcap_setbuff(). Apparently
> this is a winpcap specific option.

Yes.

The problem is that not all platforms atop which libpcap runs can  
support setting the buffer size after you've opened a network  
interface for capturing - BPF won't let you change the buffer size on  
a /dev/bpf* device once you've bound it to an interface.

The WinPcap people added pcap_setbuff(), but the code whose buffer  
size it changes is their code, so they could make it work however they  
wanted; the capture code libpcap uses is part of the UN*X systems on  
which it runs.

> I was wondering if pcap_set_buffer_size() was the same as  
> pcap_setbuff().

"The same" in what sense?

They are used differently.  Libpcap 1.x, in order to allow more  
options to be specified when a network interface is opened for  
capturing, split pcap_open_live() into pcap_create(), which creates a  
"non-activated" pcap_t, on which options can be set but upon which  
capturing cannot be done, and pcap_activate(), which "activates" the  
pcap_t so that you can capture on it.

One option that can be set between creation and activation is the  
buffer size; that even works on systems that use BPF for capturing, as  
the /dev/bpf* device isn't opened, much less bound to an interface,  
until the pcap_t is activated.

So, to set the buffer size when you open an interface, you do

        pd = pcap_create(...);
        if (pd == NULL)
                fail;

                ...

        status = pcap_set_buffer_size(pd, buffer_size);
        if (status != 0)
                fail;

                ...

        status = pcap_activate(pd);
        if (status != 0)
                fail;

pcap_setbuff() takes an opened pcap_t as an argument, so it can only  
be called *after* the interface has been opened, so, to set the buffer  
size on Windows after you open an interface, you do

        pd = pcap_open_live(...);
        if (pd == NULL)
                fail;

        if (pcap_setbuff(pd, buffer_size) == -1)
                fail;

or, in WinPcap 4.1 (at least as of 4.1b5 - I don't know which version  
first picked up pcap_create() and pcap_activate()):

        pd = pcap_create(...);
        if (pd == NULL)
                fail;

                ...

        status = pcap_activate(pd);
        if (status == 0)
                fail;

        if (pcap_setbuff(pd, buffer_size) == -1)
                fail;

> If so, are there any plans to unify the api for increased cross  
> platform code
> portability?

WinPcap 4.1 (again, at least as of 4.1b5) has pcap_set_buffer_size(),  
so you can do

        pd = pcap_create(...);
        if (pd == NULL)
                fail;

                ...

        status = pcap_set_buffer_size(pd, buffer_size);
        if (status != 0)
                fail;

                ...

        status = pcap_activate(pd);
        if (status != 0)
                fail;

on Windows with WinPcap 4.1 and on UN*Xes if you have libpcap 1.x.

libpcap will not pick up pcap_setbuff() as it cannot be implemented on  
all platforms (no *BSD, AIX, or Mac OS X) and as it has  
pcap_set_buffer_size().
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.