0

I have a socket bound to a NIC that I am using to capture packets in a pcap_loop.

I have a separate process running that eventually does a "read" on that same device, but only after a unix local pipe is ready to be read. Is it correct to say that the read() on the device from the 2nd process will read everything that's ready, not just one packet at a time, even though my other process is set up to use pcap_loop to read a packet at a time?

Derek
  • 11,715
  • 32
  • 127
  • 228

1 Answers1

2

I have a socket bound to a NIC that I am using to capture packets in a pcap_loop.

You say "socket", so I'm guessing that this is Linux (it could also be IRIX, but that's a lot less likely, and the answer is the same in either case; other OSes don't use sockets in libpcap, the native capture mechanism on those OSes uses mechanisms other than sockets).

I have a separate process running that eventually does a "read" on that same device, but only after a unix local pipe is ready to be read. Is it correct to say that the read() on the device from the 2nd process will read everything that's ready, not just one packet at a time,

No. A PF_PACKET socket returns one packet at a time from a read().

There is, by the way, no guarantee that reading from the socket with a read and handling the same socket in libpcap at the same time will work. Libpcap might be using the memory-mapped mechanism to get the packets; unless you've seen documentation on how the memory-mapped mechanism works with read()s done elsewhere, or have read the Linux kernel code enough to figure out how it works, you might not want to assume it'll work the way you want.

If, however, this is FreeBSD, as suggested (but not stated) by the tag, then what libpcap is using is a BPF device, *NOT* a socket. A read() will give you an entire bufferful of packets, and the read()s done by libpcap will give libpcap an entire bufferful of packets, even if it happens to call your callback once per packet. The same issues of read() vs. memory-mapped access could occur, but the memory-mapped BPF in later versions of FreeBSD isn't, by default, used by libpcap.

  • Thanks for the reply. It is true that I may have my nomenclature wrong, and also true that this is in FreeBSD. I just assumed that pcap_loop(...mymethod...) called mymethod once per packet, because it seems that is the case when I am parsing the packets in that method. This is confusing to me because of the flow of the program, it seems like process B that is reading one packet at a time can lag behind process A which is getting that full buffer for every one packet. – Derek Sep 25 '12 at 14:15
  • `pcap_loop()` *does* call the callback once per packet. However, that doesn't mean it reads each of those packets with a separate `read()`. It reads an entire bufferful of packets and then iterates through the packets in the buffer and calls your callback for each of those packets. Then it does another `read()` and continues the process (as long as the *cnt* argument is -1). –  Sep 28 '12 at 00:55