Re: take over responsibility of the pcap_pkthdr *

[Guy Harris <guy () alum mit edu>]

On Jan 22, 2011, at 9:36 PM, Andrej van der Zee wrote:

> I have a question about the callback pcap_handler that is called for
> each packet.

If you mean the callback for pcap_loop() and pcap_dispatch(), that's a question best asked on tcpdump-workers () 
tcpdump org ("tcpdump-workers" could, in theory, be split into four mailing lists - tcpdump-users, tcpdump-dev, 
libpcap-users, and libpcap-dev - but it isn't).

> I assume that each pcap_pkthdr * is released by pcap
> after the callback returns.

Yes.

> Is it by any means possible to take over
> responsibility of the pcap_pkthdr *?

No.  There is *no* guarantee that either the "struct pcap_pkthdr" pointed to by the second argument to the callback or 
the pile of raw packet data pointed to by the third argument to the callback is valid after the callback returns; if 
you want a version of either of those that remains valid after the callback returns, you will have to make a copy of 
it.  (Note that the header or the data might be in a memory-mapped buffer shared between the kernel and userland; if 
so, the userland code could release it to the kernel as soon as the callback returns, so that userland doesn't hang 
onto a kernel buffer resource indefinitely - it's not as if they're necessarily copied into a purely-userland buffer by 
a read/recvfrom/getmsg/whatever, so that userland could somehow reference-count them.)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe