Hi, I develop a Linux sniffer application , which uses libpcap 1.2.0 library, which, in turn, uses PF_RING infrastructure to retrieve captured packets. The problem is that on some Suse 2.6 kernel machine, which is pretty much usual, SOMETIMES SOME packets are captured partially, i.e. tpacket_hdr structure tp_snaplen value is less then tp_len value. I see this right after that libpcap code calls RING_GET_FRAME on pcap_t handle, so my assumption is that libpcap in not "guilt" here.
I'm really sorry for the "SOMETIMES", but I've failed to isolate a problem, it may happen on single connection for a number of packets, while the rest are OK. So before I drill down to PF_RING and kernel debugging, may some of your guys have an idea why that weird stuff may happen?
_______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
