I am using libpcap-0.6.2 on openBSD 2.9
In pcap-bpf.c, in pcap_open_live function i set BIOCIMMEDIATE
which means that pcap_read should return immediately with out delay.
But it still maintains the timeout.
v = 1;
if (ioctl(p->fd, BIOCIMMEDIATE, &v) < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCIMMEDIATE: %s",
pcap_strerror(errno));
goto bad;
}
Any pointers is welcome.
thanks
Ashley
On Sat, Jul 07, 2001 at 10:41:34PM +0000, ashley thomas wrote:
> I have noticed that pcap_next() call is taking in the order of 10-20 ms before
> returning the next packet from the libpcap layer. Is this a method used in
> libpcap so that they buffer some packets and return a bunch instead of one
> by one ?
Yes, on some platforms (BSD, Digital UNIX, Solaris).
The BSD man page for BPF, the mechanism libpcap uses on BSD, says:
BIOCGRTIMEOUT (struct timeval) Set or get the read timeout parameter.
The argument specifies the length of time to wait before
timing out on a read request. This parameter is initial-
ized to zero by open(2), indicating no timeout.
The BPF paper from the 1993 Winter USENIX, which is linked to from
http://www.tcpdump.org/related.html
(look for "Usenix 93 paper on BPF"), gives more details.
The way it works is that:
if no timeout is set, a read from a BPF device will not return
until the "store buffer" for the BPF device fills up with
packets;
if a timeout is set, a read from a BPF device will not return
until either the "store buffer" fills up or the timeout expires.
The timeout is the value specified in the "pcap_open_live()" call; from
the latest pcap man page:
pcap_open_live() is used to obtain a packet capture
descriptor to look at packets on the network. ...
...
... to_ms specifies
the read timeout in milliseconds. The read timeout is
used to arrange that the read not necessarily return imme-
diately when a packet is seen, but that it wait for some
amount of time to allow more packets to arrive and to read
multiple packets from the OS kernel in one operation. Not
all platforms support a read timeout; on platforms that
don't, the read timeout is ignored. ...
tcpdump supplies a timeout of 1000ms.
> Can we somehow specify that : Do not buffer and deliver the packet asap.
> This was seen on OpenBSD, and libpcap 0.6
libpcap doesn't itself support a mechanism to do that.
However, on at least some BSD systems, you can use a BIOCIMMEDIATE ioctl
on the BPF device to do that; "pcap_fileno()" returns, on BSD systems,
the file descriptor for the BPF device, and a BIOCIMMEDIATE ioctl:
BIOCIMMEDIATE (u_int) Enable or disable ``immediate mode'', based on the
truth value of the argument. When immediate mode is en-
abled, reads return immediately upon packet reception.
Otherwise, a read will block until either the kernel
buffer becomes full or a timeout occurs. This is useful
for programs like rarpd(8) which must respond to messages
in real time. The default for a new file is off.
(from the FreeBSD 3.4 BPF man page; the OpenBSD 2.8 man page, at least
as shown by the FreeBSD Web site, says the same thing) can put the
device into "immediate mode".
Ashley Thomas
1713 Crest road #1
Raleigh NC 27606
phone (919)-829-3576
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
