The correct way to use pcap_next_ex or pcap_next (libpcap)

Question

The correct way to use pcap_next_ex or pcap_next (libpcap)

I saw the following code used in the project:

while (1) { l_numPkts = pcap_next_ex( m_pcapHandle, &header, &pkt_data); //do something memcpy(dst,pkt_data,size); }

after pcap_next_ex returns, the package status will be set to TP_STATUS_KERNEL, which means that buf has been returned to the kernel. code:

  /* next packet */ switch (handle->md.tp_version) { case TPACKET_V1: h.h1->tp_status = TP_STATUS_KERNEL; ..

in some high speed environment, memory issue?

and what is the correct way to use pcap_next / pcap_next_ex?

+4

libpcap

jon Oct 15 '10 at 3:32

source share

2 answers

queria · Answer 1 · 2011-04-05T10:11:30+0000

I froze this problem in python with winpcapy (1.9.2009) and WinPcap 4.1.0.2001.

I solved this simply by creating a copy of the packet data array (as suggested by memcpy mentioned in the question).

pkt_data = pkt_data[:header.contents.len]

Not sure if this is correct, but works for me at the moment.

And based on the response to winpcap papermail, it is that pkt_data links should be kept until the next call to pcap_next_ex (or another sending method). If I understand correctly, because it uses one buffer for more than / all packages, and therefore can it be reused for other / latest packages?

Question.

sam · Answer 2 · 2015-04-20T07:47:45+0000

 char errbuff[10000]; pcap_t * handler = pcap_open_offline(argv[1], errbuff); struct pcap_pkthdr *header; u_char *packet; while (pcap_next_ex(handler, &header, &packet) >= 0) { printf("len %d:\n",header->len); ... YOUR CODE }

The correct way to use pcap_next_ex or pcap_next (libpcap)

More articles: