Re: [tcpdump-workers] Libpcap reentrancy and PF_RING patch

Sun, 06 Jan 2008 02:17:45 -0800 

Luca Deri wrote:
Yes it will work correctly as when the PF_RING socket is open, the call will fail and the library will fall back to standard pcap. 

...in which case it will


	1) do getsockopt(handle->fd, 0, PACKET_STATISTICS, &kstats, &len) on 
the PF_PACKET socket rather than doing getsockopt(handle->fd, 
SOL_SOCKET, PACKET_STATISTICS, &kstats, &len), as it would do if 
compiled without PF_RING support


and


	2) assume that the statistics are not reset after doing that call, 
rather than assuming that they *are* reset, as i would do if compiled 
without PF_RING support.



Do the PF_RING patches change the behavior of PF_PACKET sockets, so that 
they support doing a PACKET_STATISTICS getsockopt() with a level of 0, 
and so that doing that is like doing a PACKET_STATISTICS getsockopt() 
with a level of SOL_SOCKET, except that PACKET_STATISTICS with a level 
of 0 doesn't reset the statistics?



If not, then that can't be done with an #ifdef - *both* code paths need 
to be supported at run time if PF_RING support is compiled in, with the 
code path selected based on whether the pcap_t uses a PF_RING socket or 
a PF_PACKET socket.  (That can be done by having two separate routines, 
one for PF_RING sockets and one for PF_PACKET sockets, with 
handle->stats_op set to the appropriate routine, or by having one 
routine that, if PF_RING support is compiled in, checks whether 
handle->ring is null or not.)



BTW, it appears to unconditionally set handle->linktype to DLT_EN10MB if 
PF_RING is being used.  What if the device on which you're capturing is, 
for example, a PPP link, or an 802.11 device in monitor mode?  Can you 
get 802.11 headers, or 802.11 headers plus a radio header, from an 
802.11 device with PF_RING?



Also, what happens if pfring_open() is passed a null pointer, or the 
string "any", as an argument?  Does it fail, or does it return a "pfring 
*" that supplies packets from all adapters?  (The "Improving Passive 
Packet Capture: Beyond Device Polling" paper says



	If a PF_RING socket is bound to an adapted (via the bind() syscall), 
such adapter will be used in read-only mode until the socket is destroyed.



Does that mean you can have a PF_RING socket not bound to an adapter 
and, if so, does that supply packets from all adapters?)

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.






















					Reply via email to