Hi.
We have an application that uses libpcap for many Linux versions and for Mac Os
X Leopard with an excellent outcome. When tested on Snow Leopard (10.6.2), it
stopped working. I googled a lot and found out about the BPF issues that you
mention on many posts like
http://www.mail-archive.com/[email protected]/msg16294.html
I'm not monitoring my own packets, and anyway, giving read and write
permissions to group and to everybody didn't help. I ruled out also the
wireless card problems by attaching directly to the router. Nada.
Since Mac Os X 10.6 ships with libpcap 1.0.0, I tried using the new interface
with pcap_create and pcap_activate, which also allows buffer customization
previously unavailable. After many tests and combinations, it worked with this
strange trick: reducing the buffer size to 128 bytes, so that only 1 packet
could be held in the system's buffer, and thus it would be delivered to the
application immediately when the next packet arrives. Changing all the other
settings (timeouts, packet count in the pcap_dispatch, etc) do not affect the
results.
Of course the last packet never gets delivered. If a give the buffer enough
space for 10 packets, I can see that the last 10 packets of what I'm monitoring
are not delivered, therefore I suppose they lie in the buffer and do not get
delivered by pcap_dispatch. I tried also using pcap_loop, without any change.
Here's the creation of the session.
// Using PCAP 1.0.0 features on Mac OS X Snow Leopard
#if defined(PCAP_HAS_CREATE)
if ((pcapSession = pcap_create(iface->getName().c_str(), errbuf)) == NULL)
{
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<errbuf<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, errbuf);
}
if (pcap_set_snaplen(pcapSession, snapLen) != 0)
{
std::string error = pcap_geterr(pcapSession);
pcap_close(pcapSession);
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<error<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, error);
}
if (pcap_set_promisc(pcapSession, promisc ? 1 : 0) != 0)
{
std::string error = pcap_geterr(pcapSession);
pcap_close(pcapSession);
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<error<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, error);
}
if (pcap_set_timeout(pcapSession, 1000) != 0)
{
std::string error = pcap_geterr(pcapSession);
pcap_close(pcapSession);
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<error<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, error);
}
if (pcap_set_rfmon(pcapSession, 0) != 0)
{
std::string error = pcap_geterr(pcapSession);
pcap_close(pcapSession);
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<error<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, error);
}
// FIXME: This is where the workaround takes place! Increase the buffer and
packets
// are proportionally not delivered!
if (pcap_set_buffer_size(pcapSession, 128) != 0)
{
std::string error = pcap_geterr(pcapSession);
pcap_close(pcapSession);
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<error<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, error);
}
if (pcap_activate(pcapSession) != 0)
{
std::string error = pcap_geterr(pcapSession);
pcap_close(pcapSession);
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<error<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, error);
}
#else
if ((pcapSession = pcap_open_live(iface->getName().c_str(), snapLen, promisc ?
1 : 0, 1000,errbuf)) == NULL)
{
LOG_STATIC_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<errbuf<<">");
RAISE_EXCEPTION_WITH_MSG(CreateSessionErrorException, errbuf);
}
#endif
The call to dispatch is very simple, this is a snippet:
while(true)
{
int32_t ret = pcap_dispatch(m_impl->pcapSession, 100,
detail::PacketCaptureSession_pcap_handler, (u_char*)this);
if (ret==-1)
{
std::string error = pcap_geterr(m_impl->pcapSession);
LOG_TRACE(util::logging::METHOD_EXIT_FAIL<<" error <"<<error<<">");
RAISE_EXCEPTION_WITH_MSG(PacketCaptureSessionException, error);
}
...
Any idea that could point me in resolving the issue? Have you ever seen this
behaviour before? The application works fine with all other O.S. which run
older pcap versions. I recompiled tcpdump 4.0.0 on my machine, and it works!
Therefore I shall be able to capture correctly.
Best regards,
Marco
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
