--- Begin Message ---On Feb 2, 2023, at 7:42 AM, Paschal Chukwuebuk Amusuo via tcpdump-workers <tcpdump-workers@lists.tcpdump.org> wrote:> Please, is there any way to force pcap to deliver packets once it receives > the packet? > Currently, pcap delivers packets to my application at intervals and it > batches the packets before delivering them. There are substantial time > differences between when the packet is received by pcap and when it is > finally delivered by the application. pcap does not itself buffer packets. Packet capture mechanisms, such as PF_PACKET sockets in memory-mapped mode on Linux, BPF devices on macOS/*BSD/AIX/Solaris 11, and NPF for Windows, do the buffering. This is intentional; it's done to reduce the overhead of per-packet capture by: doing only one wakeup per batch of packets rather than per packet; if the mechanism copies from the kernel to user space, doing one copy per batch of packets rather than per packet; packing multiple packets into a single chunk of the buffer. The buffering has a timeout, so that packets don't have to wait for a buffer to fill up before being delivered to userland code such as libpcap. Libpcap allows the application to choose the timeout. See the "packet buffer timeout" section of the main pcap man page: https://www.tcpdump.org/manpages/pcap.3pcap.html > In the screenshot I attached, 6 packets were received within 400ms but all > delivered at the same time. That's probably because your application has requested a 400ms timeout in a call to pcap_open_live() or pcap_set_timeout() by passing 400 as the timeout value (which is in milliseconds). You can either 1) choose a shorter timeout or 2) use immediate mode, as per Denis's message.
--- End Message ---
_______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
