On Fri, Jul 26, 2002 at 11:30:55PM -0500, Barclay, Nathan wrote:
> I have a question related to IRIX platforms. Does anyone know what the
> reason for the SIOCSNOOPLEN ioctl in pcap-snoop.c is?
The IRIX 6.5 SNOOP(7P) man page at
http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/cat7/snoop.z&srch=snoop
says:
The SIOCSNOOPLEN command takes the address of an integer telling
how many bytes of packet data to capture (the link-layer header
is always captured).
so the reason is to implement the "snaplen" argument to
"pcap_open_live()".
> I've managed to find enough information to establish that the ioctl limits
> how much data the "snoop" mechanism will collect in each packet, but as best
> I can tell in the testing I've done so far, that has no real effect on the
> user. If the ioctl doesn't limit the amount of data captured, a check
> against p->snapshot in the pcap_read function still ensures that the caplen
> returned to the user will not be larger than desired.
The purpose of the "snaplen" argument isn't to limit the value supplied
in the pcap header; the goal is to limit the amount of data copied from
the kernel into the userland buffer when a packet is received, so that
if somebody doesn't need the entire packet, CPU time isn't wasted
copying all the packet data to userland.
I.e., "snaplen" isn't there just to limit the amount of captured data
libpcap tells the callers is available, it's there to actually limit the
amount of captured data that *is* available, on platforms that support
that.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
