Hi, I am using libpcap-0.6.2 on freebsd.
I have a question regardingwhen libpcap will drop packets as the application using libpcap is slow. Libpcap has a buffer of 32768 bytes which is filled with packets. Each time the application does a pcap_next or pcap_loop the libpcap gives the next packet from its buffer. and when there are no more packets it its buffer it does a read from the bpf device. The application over libpcap(IDS) has to process the packets in the libpcap buffer before libpcap does another read from the BPF. Therefore if the application is processing packets slower than the rate at which packets are coming to the network interface, then we should see that read will return close to 32768 bytes , right ? Is this reasoning correct or is there some loop hole ? Please correct if i am wrong. If when libpcap reads from BPF it sees that ~32768 bytes is given, it indicates that the application above libpcap is not processing fast enough and therefore the buffers in BPF gets its buffers full and may lead to packet drops soon. any pointers / corrections is welcome. thanks a lot ashley thomas - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
