the correct way to use pcap_next_ex or pcap_next (libpcap)

Question

I saw this kind of code used in a project:

while (1)
{
  l_numPkts = pcap_next_ex( m_pcapHandle, &header, &pkt_data);
  //do something
  memcpy(dst,pkt_data,size);    
}

after the pcap_next_ex return,the packet status will be set TP_STATUS_KERNEL,which means the buf was return to kernel. code:

 /* next packet */
 switch (handle->md.tp_version) {
  case TPACKET_V1:
  h.h1->tp_status = TP_STATUS_KERNEL;
..

in some high speed environment,will it get a memory problem?

and what is the correct way to use pcap_next / pcap_next_ex?

score 1 · Accepted Answer · answered Apr 05 '11 at 10:11

I freezed on this problem in python with winpcapy (1.9.2009) and WinPcap 4.1.0.2001.

I solved it simply by creating copy of packet data array (as suggested by memcpy mentioned in question).

pkt_data = pkt_data[:header.contents.len]

Not sure if it's correct but works for me at the moment.

And based on answer at winpcap papermail this what pkt_data references to should persist until next call of pcap_next_ex (or other dispatch method). If i got it right, because it uses one buffer for more/all packets and so it can be reused for other/last packets?

Q.

score -1 · Answer 2 · answered Apr 20 '15 at 07:47

-1

char errbuff[10000];
pcap_t * handler = pcap_open_offline(argv[1], errbuff);
struct pcap_pkthdr *header;
u_char  *packet;
while (pcap_next_ex(handler, &header, &packet) >= 0)
{
    printf("len %d:\n",header->len);
     ... YOUR CODE


}

answered Apr 20 '15 at 07:47

sam

1,363
1
20
32

the correct way to use pcap_next_ex or pcap_next (libpcap)

2 Answers2