> For example, each time pcap_dispatch() or pcap_loop() calls the packet
> handler function, a (u_char *) pointer to the new packet data is passed
> to the packet handler; once I'm done with the packet, should I free()
> this memory?
No. That memory is managed by libpcap; note that if you want to
preserve the contents of the packet data, you must make a copy of it, as
libpcap makes no guarantee that the data in the packet will remain at
that location once the packet handler function returns (in fact, it
probably *won't* remain there, other stuff will be read into the buffer
if "pcap_dispatch()" or "pcap_loop()" reads another bufferful of packets
from the kernel).
> Should I do the same for the (struct pcap_pkthdr *) pointer
> that is also passed to the packet handler function?
No. That memory is also managed by libpcap (and you have to save that
data yourself as well, if you want it to persist after the packet
handler returns).
> Or, do pcap_dispatch() and pcap_loop() automatically free the memory
> once the packet handler function returns?
No, it's more complicated than that - the packet buffer is allocated by
libpcap on an open, *reused* for each new bufferful of packet data read
from the kernel, and freed on a close.
> If so, what about pcap_next()?
"pcap_next()" calls "pcap_dispatch()", and the packet buffer to which it
returns a pointer is the one to which "pcap_dispatch()" returned a
pointer, so the same rules apply.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
