--- Begin Message ---
On Feb 2, 2023, at 7:42 AM, Paschal Chukwuebuk Amusuo via tcpdump-workers
wrote:
> Please, is there any way to force pcap to deliver packets once it receives
> the packet?
> Currently, pcap delivers packets to my application at intervals and it
> batches the packets before delivering them. There are substantial time
> differences between when the packet is received by pcap and when it is
> finally delivered by the application.
pcap does not itself buffer packets. Packet capture mechanisms, such as
PF_PACKET sockets in memory-mapped mode on Linux, BPF devices on
macOS/*BSD/AIX/Solaris 11, and NPF for Windows, do the buffering.
This is intentional; it's done to reduce the overhead of per-packet capture by:
doing only one wakeup per batch of packets rather than per packet;
if the mechanism copies from the kernel to user space, doing one copy
per batch of packets rather than per packet;
packing multiple packets into a single chunk of the buffer.
The buffering has a timeout, so that packets don't have to wait for a buffer to
fill up before being delivered to userland code such as libpcap. Libpcap
allows the application to choose the timeout.
See the "packet buffer timeout" section of the main pcap man page:
https://www.tcpdump.org/manpages/pcap.3pcap.html
> In the screenshot I attached, 6 packets were received within 400ms but all
> delivered at the same time.
That's probably because your application has requested a 400ms timeout in a
call to pcap_open_live() or pcap_set_timeout() by passing 400 as the timeout
value (which is in milliseconds). You can either 1) choose a shorter timeout
or 2) use immediate mode, as per Denis's message.--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
