Hi.
I found that it's quite difficult to use the pcap APIs in threads:
I usually use a thread that captures packets in the background, while the
main thread handles the GUI interface.
I want to use the same thread both to perform live captures and reads from
file (the pcap APIs were thought to work this way).
The problems are
1. pcap_loop is not handy: how can I stop the thread?
I can use pcap_dispatch, reading 1 packet at a
time (or pcap_next), but this does not solve
the following problem
2. If I perform a live capture, pcap_dispatch returns the
number of read packets (or 0 in case of read timeout).
In case of a offline capture (from file), pcap_dispatch returns
the number of packets, or 0 if EOF is reached.
Here is the problem: how I can distinguish between a EOF (in this
case pcap_dispatch returns 0), from a read timeout of a live capture
(which returns again 0)?? Any hint, apart from using pcap_fileno, which
breaks the model of indipendence from the source (live/file)?
I'd like to propose this pcap API,
int pcap_read_ext(pcap_t *, struct the_packet *);
where the_packet is defined as
struct the_packet
{
struct pcap_pkthdr *h;
u_char *sp;
};
The return values of this API are the following
0 -> no packet is available in (the_packet*) (read timeout from a live
capture)
1 -> a packet is available in (the_packet*)
-1 -> error (error during live read, error reading from file....).
errbuf contains the error message
-2 -> EOF reached (only during file read).
What do you think about it?
Any comments?
I have already developed this API (for WinPcap), which seems to work
(although I didn't test it much).
Gianluca Varenni
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
