aman Reddy wrote:
can anyone please tell me the difference between pcap_dispatch and pcap_loop.
To quote the current CVS libpcap man page:
pcap_dispatch() is used to collect and process packets. cnt specifies the maximum number of packets to process before returning. This is not a minimum number; when reading a live capture, only one bufferful of packets is read at a time, so fewer than cnt packets may be processed. A cnt of -1 processes all the packets received in one buffer when read- ing a live capture, or all the packets in the file when reading a ``savefile''.
...
pcap_loop() is similar to pcap_dispatch() except it keeps reading pack- ets until cnt packets are processed or an error occurs. It does not return when live read timeouts occur. Rather, specifying a non-zero read timeout to pcap_open_live() and then calling pcap_dispatch() allows the reception and processing of any packets that arrive when the timeout occurs. A negative cnt causes pcap_loop() to loop forever (or at least until an error occurs).
There's not a difference when reading a capture file, but when you're doing a live capture, pcap_loop() loops forever (count of -1) or until the count expires, while pcap_dispatch() just processes the packets returned by one read from the OS's capture mechanism, it doesn't keep capturing.
In the following
pcap_dispatch(pcap_session,3,packet_hdl,(u_char*)&t)
the second argument specifies how many packets it has to capture.
Please correct me if I am wrong. I am assuming that the funciton pcap_dispatch will call packet_hdl after all 3 packets are received.
Not necessarily. "pcap_dispatch()" will, in that call, process no *more* than 3 packets. However, if there are some received ("received" here means "read from the OS's packet capture mechanism") packets in its buffer, "pcap_dispatch()" will return those packets. If there was a previous call to "pcap_dispatch()", it had received 5 packets, but had been given a count of 3, that'll leave 2 packets in the buffer, and a subsequent call to "pcap_dispatch()" will only return those 2 packets even if it's given a count of 3.
In addition, if there aren't any packets in the its buffer, "pcap_dispatch()" will attempt to receive more packets. It won't return *any* packets until the receive completes; the number of packets that will be received could be less than 3, or more than 3, or equal to 3. If the capture is being done on a platform where receiving packets is done with a timeout, so that the receive completes if the timeout expires or the OS's packet buffer is full, the receive won't necessarily complete when 3 packets have been read, it'll wait until the timeout expires or the buffer is full.
And for each packet packet_hdl is called to process the packet.
Yes.
However, if there are fewer than 3 packets in the buffer, packet_hdl will be called only for those packets.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
