-------------------------------------------------- From: "Guy Harris" <[email protected]> Sent: Monday, August 23, 2010 4:38 PM To: <[email protected]> Subject: Re: [Winpcap-users] can I change a filter during capture withWinPCapwithout losing packets?
> > On Aug 23, 2010, at 4:28 PM, Gianluca Varenni wrote: > >> The problem is not the swap time. The problem is that immediately before >> the >> swap, the kernel ring buffer holding the packets in the driver is >> emptied. > > FreeBSD has, as of FreeBSD 7.1: > > http://www.freebsd.org/cgi/man.cgi?query=bpf&apropos=0&sektion=0&manpath=FreeBSD+7.1-RELEASE&format=html > > two ioctls to set the filter - one of which flushes the old packets in the > buffer when switching filters (so that no packets that passed the old > filter but would not have passed the new filter are left in the buffer to > read after switching the filter), and one of which doesn't (for use in > cases where you don't expect that, after setting the filter, *no* packets > that would not pass the new filter will be read, which might be the case > here). > > WinPcap could probably do the same thing - but it currently doesn't, so > that suggestion is currently of use only to somebody willing to dive in > and tweak the WinPcap driver and run the modified driver. For programs > using libpcap/WinPcap, it'd also require a pcap_setfilter_noflush() call > in libpcap/WinPcap. (Now that FreeBSD has it, and given that I think > Linux doesn't flush the buffer when you change the filter, it might be > worth adding that API, although it'd fail on platforms where that can't be > done.) The main problem would be linux, where the only behavior is not flushing the buffers. So either you have a broken API like pcap_setfilter that is supposed to flush the buffer (but it doesn't) or you break the linux applications by adding the pcap_setfilter_noflush and have pcap_setfilter fail on linux. Something broken in both cases... Have a nice day GV > > (Of course, if there's some mechanism by which a program can find out the > names or IP addresses of *all* the HTTP proxy servers Greg's machine could > be using, an ordinary filter giving "host XXX or host YYY or host ZZZ" > would suffice here - you wouldn't have to try to capture the DNS reply > giving the proxy IP address and switch the filter to look for that host.) > _______________________________________________ > Winpcap-users mailing list > [email protected] > https://www.winpcap.org/mailman/listinfo/winpcap-users _______________________________________________ Winpcap-users mailing list [email protected] https://www.winpcap.org/mailman/listinfo/winpcap-users
