On Feb 9, 2010, at 2:15 AM, Marco De Angelis wrote:
> I made an interesting test.
> By collecting pcap_stats() after every call to pcap_dispatch and
> printing the pcap_stat values out, I could verify that the packets
> are received.
> E.g. if I filter for ICMP packets, by launching "ping" commands
> I can see "ps_recv" increase rapidly.
>
> Now, I don't know what "received" means (in userland? in kernel
> buffer?), but maybe you do :)
I know it depends on the platform. :-)
In BPF-based systems such as *BSD and OS X, it count packets that are seen by
the BPF mechanism, regardless of whether they pass the capture filter or not,
so it can count packets that aren't even put into the *kernel* buffer. If you
have no capture filter, so that all packets "pass the filter", it counts
packets put into the kernel buffer, regardless of whether they've been read
into userland.
So it sounds as if, for some reason, the timer isn't expiring and causing
packets to be delivered.
Your code snippet shows pcap_dispatch() being called at the beginning of a
"loop forever" loop, so I presume you're not doing a select() to wait for
packets to arrive (that has a problem in older versions of *BSD and still has a
problem in OS X).
Could you - and Carter - put, into your programs, the following includes (if
they're not already there):
#include <string.h>
#include <errno.h>
#include <sys/ioctl.h>
and, before the include of pcap.h, add
#define PCAP_DONT_INCLUDE_PCAP_BPF_H
and then, after the include of pcap.h, add
#include <net/bpf.h>
and then, in the routine/method that calls pcap_open_live() or pcap_activate(),
add
char errbuf[PCAP_ERRBUF_SIZE];
struct BPF_TIMEVAL t;
and, after the pcap_open_live() or pcap_activate() call, do
if (ioctl(pcap_fileno(pd), BIOCGRTIMEOUT, &t) == -1) {
fprintf(stderr, "bpftest: BIOCGRTIMEOUT failed: %s\n",
strerror(errno));
return 2;
}
printf("BIOCGRTIMEOUT = %#08lx, t.tv_sec = %d, t.tv_usec = %d\n",
(unsigned long)BIOCGRTIMEOUT, t.tv_sec, t.tv_usec);
where:
1) "pd" is the return value from pcap_create() or pcap_open_live()
(pcapSession, in Marco's code snippet; pd, in Carter's);
2) the printf() call can be replaced by a C++ equivalent, if the
program is in C++, and if the program isn't something that runs from the
command line, the code can be modified to arrange that the output be somehow
visible.
Then run the program and reply with the output it produces.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
