I believe there's a subtle problem in the description of pcap_dispatch:
pcap_dispatch() is used to collect and process packets. cnt specifies
the maximum number of packets to process before returning. A cnt of -1
processes all the packets received in one buffer. A cnt of 0 processes
all packets until an error occurs, EOF is reached, or the read times out
(when doing live reads and a non-zero read timeout is specified).
There's some missing semantics... here's why:
pcap_dispatch calls pcap_read (for each implementation type).
pcap_read uses the count to figure out how many to dispatch,
without retaining state from some previous block read...
so, notice what would happen if someone believed:
/*
* we just want to dispatch one packet at a time.
*/
pcap_dispatch( p, 1, target, rock );
according to the description, all the packets should still get
processed by target...
but what happens instead is that only ONE packet from the
front of EACH of the buffer's gets processed.. the rest
get discarded.
Now, that's fine, really, since cnt is meant to mainly deal with
tcpdump's cnt option, but the description is misleading.
mts.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
