Guy Harris <guy <at> alum.mit.edu> writes: > > it seems that libpcap captures them, but the pcap_dispatch (and pcap_loop as well) does not deliver packets to the pcap_handler. > > What do you mean by "libpcap captures them"? Do you mean that libpcap reads the packets into the userland > buffer attached to the pcap_t, or that *BPF* captures them (i.e., they get put into the *kernel* buffer for > the BPF device) but libpcap doesn't read them into its userland buffer?
Good question. Do you know how could I verify the buffer they stay in? Is there some printout I could add before calling pcap_dispatch to see what's in the kernel buffer and what in the userland buffer? > > Packets seems to remain in the buffer and they > > get delivered only when the buffer is full. > > If you're referring to the BPF kernel buffer, that sounds as if the timeout mechanism isn't working. That > was a bug that happened in 10.6 and 10.6.1 for 64-bit programs specifying sub-second timeouts, but that's > fixed in 10.6.2 - *if* you're using libpcap (rather than using raw BPF; the bug in BPF isn't fixed, it's just > worked around in libpcap). I'm only using libpcap to access the device, I never perform direct calls on the underlying device (the application has to remain platform-neutral). I'm running on 10.6.2. The timeouts are all set to 1 second. > > Is your program built as a 32-bit program or a 64-bit program? I was compiling for the native os. The lipo -info command says it is i386. Just to be sure, I removed all other architectures (ppc and x86_64) from the list of compilation targets and recompiled. Nothing has changed. I will retry to build it for x86_64 and see if anything changes. > Presumably the tcpdump you downloaded and recompiled was recompiled on Snow Leopard, which means that, unless your machine has a 32-bit processor It's a 64-bit processor. Anyway, tcpdump works fine. My line of reasoning is: if tcpdump works correctly and it always uses libpcap, then I should be able to capture using the same filter. I just cannot understand what my code (posted earlier) is doing differently from tcpdump. Thanks for the support Marco - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
