Re: libpcap on Mac Os X 10.6 Snow Leopard

[Carter Bullard <carter () qosient com>]

Gentle people,
I also am seeing similar behavior with libpcap-1.0.0 on Snow Leopard (10.6.2).
Seems that this just started very recently, possible with the upgrade to 10.6.2
but not sure about that.

In my application, which uses pcap_dispatch() in non-blocking mode, and uses
select() to be notified when to read all available packets, I am receiving packets from
wireless interfaces in big "chunks", where the times between chunks  can be rather
large (> 10-30 seconds) even though there are packets every, lets say 0.25 seconds.

I have not had time to verify if this is seen on all interfaces.

I open the interface using pcap_open_live(), with a 0.1 second timeout value.  All
other parameters are default.

Is any additional information I can provide to assist?

Carter


On Feb 1, 2010, at 10:28 AM, Marco De Angelis wrote:

> Guy Harris <guy <at> alum.mit.edu> writes:
>
> > The issue described in that message is fixed in 10.6.2.
>
> Thanks so much for replying (Sorry if this reply arrives twice, I had problems
> in subscribing). That is good to know. I have 10.6.2, but I still experience
> problems (packets not dispatched).
>
> > These are both BPF issues; libpcap 1.0.0 didn't *introduce* them -
>
> I was just looking at my depedencies, without being sure if I should investigate
> more for a Snow Leopard bug or on the libpcap side.
>
> > So what is the exact problem you're seeing?  What is the difference you see
> between Leopard and Snow Leopard?
> > (PF_PACKET sockets work differently from BPF, so differences between Linux and
> {Leopard,Snow
> > Leopard,*BSD} are less interesting here.)-
>
> The problem is that the packets are not delivered to the application. More
> specifically, it seems that libpcap captures them, but the pcap_dispatch (and
> pcap_loop as well) does not deliver packets to the pcap_handler. Packets seems
> to remain in the buffer and they get delivered only when the buffer is full.
>
> With a buffer of 128 bytes (which can hold only one packet), the packets are
> delivered to the application immediately.
> With a buffer of 1280 bytes, I get the packets delivered at burst of ten, only
> when the next ten are collected. Of course, that means also that the last group
> of packets would remain in the buffer and are never delivered.
>
> The problem is, the same code is working perfectly on all other OSes. Can you
> suggest something to try out?
>
> > > I recompiled tcpdump 4.0.0 on my machine, and it works!
> >
> > On which machine?  The Snow Leopard machine?  If so, does the tcpdump 4.0.0
> that comes with Snow Leopard *not* work?
>
> The original Tcpdump on Snow Leopard (the one that comes with the O.S.) worked
> fine, and also the one I downloaded and recompiled. I recompiled it just to be
> sure that they didn't do some "trick" to make it work.
> Maybe I just don't trust the Authority :)
>
> Regards,
> Marco
>
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.

Attachment: smime.p7s
Description: