tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Directly accessing packet buffer

From: Guy Harris <guy () alum mit edu>
Date: Mon, 28 Mar 2011 23:46:45 -0700

On Mar 28, 2011, at 11:18 PM, Rayne wrote:


I would like to be able to directly access the buffer where packets are stored when they're received. After some 
googling, I think perhaps libpcap with mmap would be the solution. Does libpcap 1.0 and above support mmap?


Libpcap 1.0 and above support, on those OSes where the underlying packet capture mechanism supports memory mapping 
(versions of the Linux kernel with the "turbopacket" mechanism, and FreeBSD 8.x and later), the memory-mapped capture 
mechanisms.

Libpcap does not, however, use mmap when reading a capture file ("savefile").


From my understanding, mmap would allow me to directly access the buffer without having to explicitly copy the packet 
to another buffer for me to do processing. I would also appreciate it if someone can let me know where I can find 
examples of such applications, as many examples of mmap I've found involves mapping a buffer for file operations, 
rather than integrating it with pcap functions like pcap_loop, pcap_next_ex etc.


If you are running on a platform with a memory-mapped capture mechanism, and are using libpcap 1.0 or later, then, if 
you use pcap_loop() or pcap_dispatch(), your callback routine will be called with the packet data pointer argument 
pointing into the memory-mapped buffer.

If, however, you use pcap_next() or pcap_next_ex() on Linux, you will be handed a pointer to a buffer into which the 
packet was copied from the memory-mapped buffer.  If they were to hand you a pointer into the memory-mapped buffer, 
that slot in the memory-mapped buffer could not be released until your code was done with the packet - and the only way 
to indicate that you're done with the packet is to call pcap_next() or pcap_next_ex() again.  Using that as the 
"release the packet" indication was (for reasons I don't remember, but I could reconstruct if necessary) not really 
acceptable, and releasing the packet *before* you read the next packet means that the packet data could be overwritten 
while you're processing it.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: