foundry27 : Post

Forum Topic - libpcap: pcap_open_live with no read timeout (to_ms=0): (8 Items)

View: as

Christopher Pohl

07/18/2008 9:00 AM

post10697

libpcap: pcap_open_live with no read timeout (to_ms=0)

Hi all, 

I'm experimenting with the pcap library and I open it in the following way: 

pcap_open_live("tsec0", 1500, 1, 0, ebuf);

i.e. I'm using a zero read timeout for the BPF device. 
The filter is setup to capture small amounts of packets every few seconds. 

Later on I use pcap_loop() to receive packets. 

My expectation from reading various man pages about libpcap was to be immediately be notified of any arriving packet 
when using this zero timeout live capture setup. 

However, it seems to me that I am getting notified of a whole bunch of frames at once , as soon as ~1500 bytes (the 
snaplen) of frames have arrived (considerable delay w.r.t. to the arrival of the first frame). 

Is the latter how it's supposed to be behave on QNX ? If so, is there any way to be immediately notified ? 

BTW, the source file ./dist2/libpcap/pcap-bpf.c::pcap_open_live() line ~900++ contains a comment about this kind of 
behaviour on AIX and different variants of BSD. 

Thanks for any help. 
Christopher

Sean Boudreau(deleted)

Re: libpcap: pcap_open_live with no read timeout (to_ms=0)

Sean Boudreau(deleted)

07/18/2008 9:23 AM

post10702

Re: libpcap: pcap_open_live with no read timeout (to_ms=0)

On Fri, Jul 18, 2008 at 09:00:32AM -0400, Christopher Pohl wrote:
> Hi all, 
> 
> I'm experimenting with the pcap library and I open it in the following way: 
> 
> pcap_open_live("tsec0", 1500, 1, 0, ebuf);
> 
> i.e. I'm using a zero read timeout for the BPF device. 
> The filter is setup to capture small amounts of packets every few seconds. 
> 
> Later on I use pcap_loop() to receive packets. 
> 
> My expectation from reading various man pages about libpcap was to be immediately be notified of any arriving packet 
when using this zero timeout live capture setup. 
> 
> However, it seems to me that I am getting notified of a whole bunch of frames at once , as soon as ~1500 bytes (the 
snaplen) of frames have arrived (considerable delay w.r.t. to the arrival of the first frame). 
> 
> Is the latter how it's supposed to be behave on QNX ? If so, is there any way to be immediately notified ? 
> 
> BTW, the source file ./dist2/libpcap/pcap-bpf.c::pcap_open_live() line ~900++ contains a comment about this kind of 
behaviour on AIX and different variants of BSD. 

Can you post a small test case?  We should follow the NetBSD behaviour.

-seanb

Christopher Pohl

07/18/2008 9:37 AM

post10704

Re: libpcap: pcap_open_live with no read timeout (to_ms=0)

> Can you post a small test case?  We should follow the NetBSD behaviour.
> 
> -seanb

I'll try to create one. At the moment my incoming (captured) traffic is generated by an external machine, so i have to 
fake that somehow to make the test case any useful. I'm going to post it here then. 

I noticed the following in the mean time, maybe the information is useful for you: 

When I do 

one = 1;
ioctl(*((int*)(ctx.pcaph)), BIOCIMMEDIATE, &one);

(the cast evalutes to pcap's internal /dev/bpf file descriptor) then this causes frames to show up immediately in my 
packet handler one by one without delay. 

Christopher.

Sean Boudreau(deleted)

07/18/2008 9:40 AM

post10707

Re: libpcap: pcap_open_live with no read timeout (to_ms=0)

On Fri, Jul 18, 2008 at 09:37:50AM -0400, Christopher Pohl wrote:
> 
> > Can you post a small test case?  We should follow the NetBSD behaviour.
> > 
> > -seanb
> 
> I'll try to create one. At the moment my incoming (captured) traffic is generated by an external machine, so i have to
 fake that somehow to make the test case any useful. I'm going to post it here then. 
> 
> I noticed the following in the mean time, maybe the information is useful for you: 
> 
> When I do 
> 
> one = 1;
> ioctl(*((int*)(ctx.pcaph)), BIOCIMMEDIATE, &one);
> 
> (the cast evalutes to pcap's internal /dev/bpf file descriptor) then this causes frames to show up immediately in my 
packet handler one by one without delay. 
> 
> Christopher. 
> 

Don't worry about actually generating traffic.  I can do that here.

Regards,

-seanb

Sean Boudreau(deleted)

Re: libpcap: pcap_open_live with no read timeout (to_ms=0)

Sean Boudreau(deleted)

07/25/2008 3:49 PM

post11105

Re: libpcap: pcap_open_live with no read timeout (to_ms=0)

On Fri, Jul 18, 2008 at 09:00:32AM -0400, Christopher Pohl wrote:
> Hi all, 
> 
> I'm experimenting with the pcap library and I open it in the following way: 
> 
> pcap_open_live("tsec0", 1500, 1, 0, ebuf);
> 
> i.e. I'm using a zero read timeout for the BPF device. 
> The filter is setup to capture small amounts of packets every few seconds. 
> 
> Later on I use pcap_loop() to receive packets. 
> 
> My expectation from reading various man pages about libpcap was to be immediately be notified of any arriving packet 
when using this zero timeout live capture setup. 
> 
> However, it seems to me that I am getting notified of a whole bunch of frames at once , as soon as ~1500 bytes (the 
snaplen) of frames have arrived (considerable delay w.r.t. to the arrival of the first frame). 
> 
> Is the latter how it's supposed to be behave on QNX ? If so, is there any way to be immediately notified ? 
> 
> BTW, the source file ./dist2/libpcap/pcap-bpf.c::pcap_open_live() line ~900++ contains a comment about this kind of 
behaviour on AIX and different variants of BSD. 
> 
> Thanks for any help. 
> Christopher
> 

I did some experimenting here and we do seem to follow the
NetBSD behaviour.  If the timeout is 0 it means to block
until "some" packets have built up.  This is doc'd in
trunk/dist2/libpcap/pcap.3.

Regards,

-seanb

Mohammad Dadashzadeh(deleted)

Re: libpcap: pcap_open_live with no read timeout (to_ms=0)

Mohammad Dadashzadeh(deleted)

07/29/2009 4:16 PM

post34856

Re: libpcap: pcap_open_live with no read timeout (to_ms=0)

I have the same problem,  were you be able to solve the problem.

Mohammad

Sean Boudreau(deleted)

Re: libpcap: pcap_open_live with no read timeout (to_ms=0)

Sean Boudreau(deleted)

07/29/2009 4:20 PM

post34857

Re: libpcap: pcap_open_live with no read timeout (to_ms=0)

On Wed, Jul 29, 2009 at 04:16:58PM -0400, Mohammad Dadashzadeh wrote:
> I have the same problem,  were you be able to solve the problem.

This wasn't a bug. timeout of 0 means wait until
the buffer is full.

-seanb

Christopher Pohl

Re: libpcap: pcap_open_live with no read timeout (to_ms=0)

Christopher Pohl

07/30/2009 4:09 AM

post34876

Re: libpcap: pcap_open_live with no read timeout (to_ms=0)

As Sean said, this is how NetBSD behaves. 

The following may help you:

#ifdef BIOCIMMEDIATE
/*
 * When libpcap uses BPF we must enable "immediate mode" to
 * receive frames right away; otherwise the system may
 * buffer them for us.
 */
{
    unsigned int on = 1;
    if (ioctl(pcap_fileno(l2->pcap), BIOCIMMEDIATE, &on) < 0) {
        fprintf(stderr, "%s: cannot enable immediate mode on interface %s: %s\n",
                __func__, l2->ifname, strerror(errno));
                /* XXX should we fail? */
    }
}
#endif /* BIOCIMMEDIATE */

(stolen from WPA supplicant's sources: http://hostap.epitest.fi/wpa_supplicant/ )

Christopher.

Return

The text you entered is not a valid object ID
More Information
Object IDs begin with an object prefix and end with a number. For example, if you enter
artf2345
the application will jump directly to an artifact with the ID artf2345. Some valid object prefixes are:
artf	for an artifact
doc	for a document
page	for a project page
topc	for a discussion topic
wiki	for a wiki page