Multiple interface capture and thread safety status in libpcap

[Wiener Schnitzel <wiener.schnitzel () still-pending com>]

Hi all,

I need to perform packet sniffing on several interfaces at the same 
time.
My natural approach would be to open a pcap_t object for each interface 
and place a "select" - considering Linux -call to deal with packet 
dispatching. My only constraint is that I have to treat the received 
packets in chronological order: indeed, I would like to process the data 
as it gets to the interfaces, without introducing any reordering. If I 
am not mistaken, it might be possible that a "select" call does not read 
data in temporal order, if multiple FDs are ready at the time the 
process is scheduled for running by the OS. Is that correct ?

A work-around to this problem might be to move the capture on different 
threads: each thread has its own pthread_t object and captures traffic 
on a different interface. In this case, I do not have a clear picture 
about which parts of libpcap are thread-safe and which not (my version 
of reference is the 1.1.1); I have found really old posts about 
thread-safety issues in pcap_compile and pcap_setfilter (which I would 
need: 1 common filter for each thread) but nothing more.

To sum up:

1) Could I/O multiplexing reorder packets during multiple interfaces 
sniffing ?
2) Which are the caveats to take into account when capturing from 
different interfaces using threads (1 thread per interface, same BPF 
filter for each thread) ? Which parts of libpcap are not thread-safe (v. 
>= 1.1.1) ?

Thank you


Alberto Balesena
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.