On Apr 7, 2013, at 2:47 PM, Ahmed Elshaer <[email protected]> wrote:
> what is the difference between
> pcap_open and pcap_open_live
pcap_open() supports some options that pcap_open_live() doesn't, such as
providing a user name and password for remote capture, some flags for remote
capture, and an option to return packets as soon as they arrive.
If you don't need any of the options that pcap_open() supports, and want your
code to be portable to non-Windows systems, pcap_open_live() is the best
choice. pcap_open_live() is also a bit simpler to call. If you need those
options, pcap_open() is the best choice.
> findalldevs_ex and findalldevs
pcap_findalldevs_ex() can ask a remote machine running the rpcap service what
devices it has to capture on; pcap_findalldevs() can only check for local
devices.
If you don't need to support capturing from interfaces attached to other
machines, and want your code to be portable to non-Windows systems,
pcap_findalldevs() is the best choice. It is also a bit simpler to call. If
you want to support capturing on interfaces attached to other machines,
pcap_findalldevs_ex() is the best choice.
> pacap_loop and pcap_dispatch and pcap_next_ex
pcap_loop() will keep reading packets until the specified count runs out or
pcap_breakloop() is called (in another thread).
pcap_dispatch() will do at most one blocking call into the OS per call to
pcap_dispatch(); it's primarily intended for use when your program has a main
loop using calls such as select()/poll()/etc. on UN*X or
WaitForMultipleObjects()/MsgWaitForMultipleObjects() on Windows, so that the
main loop is handling both packets and other things (network connections,
devices, window system input events).
Both pcap_loop() and pcap_dispatch() use callbacks to supply packets, and
pcap_next_ex(), in effect, calls pcap_loop() with a count of 1 with its own
callback that fills in some information that it then returns. pcap_loop() and
pcap_dispatch() might thus have less overhead, but you have to supply a
callback rather than doing something simpler such as
for (;;) {
get a packet with pcap_next_ex();
if (error) {
report the error;
break;
}
process the packet;
}
If you're not doing your own main loop in the fashion I described, there's no
reason to use pcap_dispatch(). If you are, you would either use it or put the
pcap_t into non-blocking mode and write your own loop using pcap_next_ex(),
processing packets until you get an error or a "no packets available right now"
indication, and then going back to the main loop to wait for an event.
Whether to use pcap_loop() or pcap_next_ex(), in the case where you don't have
your own main loop, depends on whether a callback or a loop of your own is more
convenient, and whether the extra overhead of pcap_next_ex() actually makes a
difference.
_______________________________________________
Winpcap-users mailing list
[email protected]
https://www.winpcap.org/mailman/listinfo/winpcap-users
