On Wed, Apr 11, 2001 at 04:57:27PM +0200, Sebastian Proba wrote:
>
> Thanks for help, i didn't solve the problem but i'll try to test it on eth.
>
> > On what OS? (I assume it's probably either some Linux distribution or
> > some flavor of BSD - or *maybe* Digital UNIX, although I don't remember
> > whether I got it to work there or not - as, on at least some other OSes,
> > you can't capture on the loopback device.)
>
> It's Linux Mandrake 7.2
>
> > The callback routine for "pcap_loop()" is passed data for a packet, so
> > if it's called four times for every packet, presumably one of those
> > times you get the actual packet data - what is it getting passed on the
> > other three calls? (Note that on Linux, versions of libpcap prior to
> > 0.6 supplied two copies of every packet sent over the loopback
> > interface, due to the way the loopback interface code works; libpcap 0.6
> > and later throw away one of those copies, so you see only one copy.)
>
> I get four copies of the same packet - I think the problem is in the way
> loopback works, as you wrote.
If you're using libpcap 0.6.1 or 0.6.2 (on a 2.2 or later kernel, but as
you're running Mandrake 7.2, you're presumably not running a
2.0[.x]kernel), that shouldn't happen - libpcap should be showing you
only one copy of the loopback packet.
If you're using an earlier version of libpcap, you'll see two copies of
the loopback packet - you shouldn't see four copies.
What does "tcpdump -h" print?
> But I have one more question. What is the (u_char* user) variable for? It
> appears in few functions but it isn't documented in manual.
It's used to supply arbitrary data to the callback function for
"pcap_dispatch()" or "pcap_loop()"; if, for example, the callback
function is supposed to write packets to a file, the "user" argument to
"pcap_dispatch()" or "pcap_loop()" could be a pointer to some data
structure that referred to that file, and the callback function would
cast that pointer to point to such a data structure, and use it.
(That's how "pcap_dump()" works, for example; the structure in that case
is a standard I/O "FILE" structure.)
The manual mentions it, although not by name, and perhaps doesn't give
as much detail as it could about the conneciton between the "user"
argument to "pcap_dispatch()" and the "user" argument to the callback
routine:
pcap_dispatch() is used to collect and process packets.
cnt specifies the maximum number of packets to process
before returning. This is not a minimum number; when
reading a live capture, only one bufferful of packets is
read at a time, so fewer than cnt packets may be pro-
cessed. A cnt of -1 processes all the packets received in
one buffer when reading a live capture, or all the packets
in the file when reading a ``savefile''. callback speci-
fies a routine to be called with three arguments: a u_char
^^^^^^^^
pointer which is passed in from pcap_dispatch(), a pointer
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
to the pcap_pkthdr struct (which precede the actual net-
work headers and data), and a u_char pointer to the packet
data.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
