I'm programming for a network program using libevent. I posted a question previously, but I have some new discoveries.
In this program, I want to capture packets using libpcap, modify these packets and then sends them out. These steps should be in real time. So I create a live capture, use pcap_get_selectable_fd to get a file descriptor pcap_fd for the live capture and add a READ_EV event for pcap_fdto a libevent loop. Anyway, it is like select() or epoll() polling the file descriptor. But I notice the program doesn't work as expected, so I use tcpdump and some debugging logs to check the problem. I notice that sometimes, the polling on pcap_fd is not working correctly, for example, at the begining, it seems to work fine. Some time later, the READ_EV event for pcap_fd is triggered 2 seconds later, which is really a big delay. I read the mannual, it says: pcap_get_selectable_fd(3) will return a file descriptor. But simple select() or poll() will not indicate that the descriptor is readable until a full buffer's worth of packets is received, even if the read timeout expires before then. It seems to me that the live capture has captured around 15 packets (each of which is 66 bytes), but the READ_EV event is not triggered until 2 seconds later. But at the very beginning, even 1 packet arrival can trigger a READ_EV event. This means it is very unstable. To work around this, an application that uses select() or poll() to wait for packets to arrive must put the pcap_t in non-blocking mode, and must arrange that the select() or poll() have a timeout less than or equal to the read timeout, and must try to read packets after that timeout expires, regardless of whether select() or poll() indicated that the file descriptor for the pcap_t is ready to be read or not. My question is for the paragraph above: 1 it seems to me that there are 2 timeouts, a read timeout and a timeout defined by myself, so what is the read timeout? 2 it seems to me that I need to set a very small timeout and poll the live capture using pcap_next() or pcap_dispatch, is it right? then my polling could be very CPU consuming? thanks! _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
