> I am specifying a read timeout of 5000 milliseconds in
> the pcap_open_live call. However when I loop in
> pcap_dispatch (with a count of 0), it returns after
> every packet. My understanding on this was (based on
> the man page) that pcap_dispatch would keep calling
> the callback packet handler on every packet it gets,
> but will return only if either an error occurs, EOF is
> reached or read times out. In the absence of the
> first two cases, shouldnt pcap_dispatch be returning
> only once after atleast 5 seconds have passed since
> the last received packet ?
The man page has been revised since 0.4 came out. The old LBL man page
didn't describe the behavior of "pcap_dispatch()" correctly.
The LBL man page says
pcap_dispatch() is used to collect and process packets. cnt
specifies the maximum number of packets to process before
returning. A cnt of -1 processes all the packets received in
one buffer. A cnt of 0 processes all packets until an error
occurs, EOF is reached, or the read times out (when doing
live reads and a non-zero read timeout is specified). call-
back specifies a routine to be called with three arguments:
a u_char pointer which is passed in from pcap_dispatch(), a
pointer to the pcap_pkthdr struct (which precede the actual
network headers and data), and a u_char pointer to the
packet data. The number of packets read is returned. Zero
is returned when EOF is reached in a ``savefile.'' A return
of -1 indicates an error in which case pcap_perror() or
pcap_geterr() may be used to display the error text.
which is wrong, as it implies that a "cnt" of 0 means "pcap_dispatch()"
will loop indefinitely, "process[ing] all packets until an error
occurs". It does *NOT* loop indefinitely; if you want that, you use
"pcap_loop()".
The current man page says
pcap_dispatch() is used to collect and process packets. cnt
specifies the maximum number of packets to process before
returning. This is not a minimum number; when reading a
live capture, only one bufferful of packets is read at a
time, so fewer than cnt packets may be processed. A cnt of
-1 processes all the packets received in one buffer when
reading a live capture, or all the packets in the file when
reading a ``savefile''. callback specifies a routine to be
called with three arguments: a u_char pointer which is
passed in from pcap_dispatch(), a pointer to the pcap_pkthdr
struct (which precede the actual network headers and data),
and a u_char pointer to the packet data.
The number of packets read is returned. 0 is returned if no
packets were read from a live capture (if, for example, they
were discarded because they didn't pass the packet filter,
or if, on platforms that support a read timeout that starts
before any packets arrive, the timeout expires before any
packets arrive, or if the file descriptor for the capture
device is in non-blocking mode and no packets were available
to be read) or if no more packets are available in a ``save-
file.'' A return of -1 indicates an error in which case
pcap_perror() or pcap_geterr() may be used to display the
error text.
NOTE: when reading a live capture, pcap_dispatch() will not
necessarily return when the read times out; on some plat-
forms, the read timeout isn't supported, and, on other plat-
forms, the timer doesn't start until at least one packet
arrives. This means that the read timeout should NOT be
used in, for example, an interactive application, to allow
the packet capture loop to ``poll'' for user input periodi-
cally, as there's no guarantee that pcap_dispatch() will
return after the timeout expires.
pcap_loop() is similar to pcap_dispatch() except it keeps
reading packets until cnt packets are processed or an error
occurs. It does not return when live read timeouts occur.
Rather, specifying a non-zero read timeout to
pcap_open_live() and then calling pcap_dispatch() allows the
reception and processing of any packets that arrive when the
timeout occurs. A negative cnt causes pcap_loop() to loop
forever (or at least until an error occurs).
pcap_next() reads the next packet (by calling
pcap_dispatch() with a cnt of 1) and returns a u_char
pointer to the data in that packet. (The pcap_pkthdr struct
for that packet is not supplied.)
"pcap_dispatch()" processes "only one bufferful of packets ... at a
time" (or, as the old man page says, i, and, on Linux, a read from a
SOCK_PACKET or PF_PACKET socket (that being the mechanism used for raw
packet capture on Linux) returns one count 'em one packet.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
