durung_lulus wrote:
I want to make simple sniffer, but having question in mind,
Could we loose any packet that we try to grab with pcap_loop/pcap_dispatch?
Yes.
And if we do, what are the causes?
It'd be caused by the sniffer not being able to read packets fast enough that whatever buffer the OS uses in the capture mechanism doesn't fill up so that packets don't arrive when there's no room left in the buffer.
The application should try to do as little processing as it can; however, there's also OS and libpcap code involved.
Making the buffer larger might help, although, unfortunately, there's currently no API in libpcap for doing that (the problem is that, on systems using BPF such as the BSDs, you can't set the buffer size once the BPF device is bound to a network interface, and that happens when you open with pcap_open_live(), so the API would have to be a new API for opening devices - we'll probably have such an API in the future).
On some platforms you could probably write platform-dependent code to increase the buffer size - for example, on Linux you could try increasing the socket buffer size using the file descriptor returned by "pcap_fileno()" (on Linux, capturing is done with a socket).
If you don't need the entire packet - if, for example, you're only inteested in protocol information up to the TCP layer - you could set a "snapshot length" long enough to capture only the link-layer header and the headers you're interested in, so that less data is buffered and less data is copied; on most platforms, that'd make it less likely that you'd lose packets.
If you don't need all the packets on the network on which you're capturing - if, for example, you're only interested in HTTP traffic - you could use a packet filter to limit which packets are captured; on many platforms, that'd make it less likely that you'd lose packets.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
