Re: [tcpdump-workers] BIOCIMMEDIATE problem?

Mon, 25 Jun 2001 00:16:51 -0700 

On Sun, Jun 24, 2001 at 08:34:36AM -0500, Rick Richardson wrote:
> I was trying to use libpcap on BSDi to capture packets on a network
> with extremely low traffic -- like one packet per minute.
> 
> The timeout on pcap_open_live() didn't seem to do the trick -- I
> wasn't seeing the packets until maybe an hour had passed, then I'd
> get a bunch.

That sounds like a BPF bug on BSD/OS - I don't see that on FreeBSD 3.4,
for example; if I run "tcpdump -n" (so that tcpdump itself doesn't
generate any traffic looking up host names or addresses), and do
"ping -n -c 1 {IP address}" (so "ping" sends only one ICMP packet, and
doesn't generate any traffic looking up host names or addresses), the
ICMP echo and echo reply show up within a couple of seconds after the
"ping" command runs (the timeout that tcpdump uses is 1 seecond).

> So I put the BPF into immediate mode with:
> 
>         if (ioctl(p->fd, BIOCIMMEDIATE, &v) < 0) {
>                 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCIMMEDIATE: %s",
>                     pcap_strerror(errno));
>                 goto bad;
>         }
> 
> That sorta did the trick, and packets now come up immediately from the
> BPF.  The problem is, the packet buffers sent up aren't padded to a
> multiple of 4 bytes like the following [abbreviated for consiseness]
> pcap-bpf.c pcap_read() code requires...

I may be missing something, but I don't see anything in, for example,
the FreeBSD 3.4 BPF kernel code that would cause the padding not to be
put in if you're in immediate mode - and hacking libpcap to turn
immediate mode on doesn't seem to cause any problems for tcpdump on
FreeBSD 3.4 - so this may be another BSD/OS BPF bug.

> My question is: would you folks consider this a bug with the BSDi
> kernel BPF code, or a bug with the pcap-bpf.c code?

See above.

> What would be considered a "proper" fix for this problem?

BSDi^H^H^H^HWind River making sure BSD/OS's BPF functions, with regard
to

        1) the timeout specified by BIOCSRTIMEOUT

and

        2) the padding put on packets if immediate mode is on

the same way that other BSDs' BPF's behave.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe

Reply via email to