Hello!
Reading manual pages about libpcap, I feel that some pieces of the
puzzle still be hidden from me :) (No, I wrote some programs which use
libpcap but I feel myself unsatisfactory when reading the manual :)
Here the cites from man pcap and my questions are going:
> pcap_dispatch() is used to collect
where to? to an internal buffer?
> and process packets. cnt specifies the maximum number of packets to
> process before returning. A cnt of -1 processes all the packets
> received in one buffer.
what was meant by the 'one buffer' here? the whole manual didn't say anything
about any buffer before!
> A cnt of 0 processes all packets until an
> error occurs,
clear? well, not too :)
i.e., the first and last difference between -1 and 0 is that 'one
buffer'? and 0 will be doing the same, except the 'one buffer'?
well, this is not too self evident...
> EOF is reached, or the read times out (when doing live
> reads and a non-zero read timeout is specified).
And what would be if it was zero? Will it work at all?
> callback specifies a routine to be called with three arguments:
> a u_char pointer which is passed in from pcap_dispatch(),
for what purpose, couldn't you please give an example or a situation
where it serves its purpose?
> a pointer to the pcap_pkthdr struct
the structure is defined as following:
struct pcap_pkthdr {
struct timeval ts; /* time stamp */
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire) */
};
in my tests, caplen always == len... what it is?
couldn't you please expand the meaning of these variables?
> (which precede the actual network headers and data), and a
> u_char pointer to the packet data.
> The number of packets read is
> returned. Zero is returned when EOF is reached in a ``savefile.'' A
> return of -1 indicates an error in which case pcap_perror() or
> pcap_geterr() may be used to display the error text.
these are all questions bout dispatch, but there are several about
pcap_loop() now:
> pcap_loop() is similar to pcap_dispatch() except it keeps
> reading packets until cnt packets are processed or an
> error occurs. It does not return when live read timeouts
> occur.
so, timeouts are no taken into consideration? ok.
> Rather, specifying a non-zero read timeout to
> pcap_open_live() and then calling pcap_dispatch() allows
> the reception and processing of any packets that arrive
> when the timeout occurs.
what meaning does 'Rather' have here?
> A negative cnt causes
> pcap_loop() to loop forever (or at least until an error
> occurs).
Thank you for your time in advance.
--
Best regards,
Igor mailto:[EMAIL PROTECTED]
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
