On Tue, Feb 03, 2004 at 09:08:17PM +0100, Alberto Ornaghi wrote:
> I'm thinking about a function, let's call it pcap_flush(pcap_t *pd),
> that will zero the statistics and flush away any unread data from the
> pcap file descriptor.
Note that "zero[ing] the statistics" can be done, on systems using BPF
({Free,Net,Open,Dragonfly}BSD, BSD/OS, Mac OS X, AIX) only by keeping
getting the current statstics values, storing them in the "pcap_t", and
subtracing the stored values before returning them - there isn't an
ioctl to zero out the in-kernel statistics.
The same is true on SunOS 5.x - the bufmod STREAMS module has no way to
clear the count of dropped packets - and on SunOS 3.x and 4.x as well.
It appears to be the case on Irix also.
> think about a program that opens the fildesc with high privs and then
> drop them and let the user configure some parameter from a GUI. when the
> user chose to start to sniff, a relevant amount of time was elapsed
> between pcap_open_live and pcap_read. in this situation the user will
> get old packets (accumulated in the kernel buffer) and wrong statistics
> (high value for dropped packets).
What parameter would it let you configure after the capture starts and
before it starts reading packets?
Ethereal, for example, doesn't open the pcap_t until you've filled in
the parameter and click "OK" to start capturing - and, once that's done,
it starts reading packets shorly afterwards.
> do you think it will be useful to have such function? if so, i can
> implement it and propose a diff against the current release.
>
> i can simulate the flush of unread data within a loop, but the stats
> cannot be reset.
No, but an application that, for whatever reason, waits for a
significant amount of time before reading from the pcap_t could get the
statistics before it does the first read, and subtract those values from
the counts it gets later - which implements the same thing that libpcap
would end up implementing.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]
