Hi, I am running libpcap-0.6.2 on OpenBSD and freeBSD. I have some doubts regarding the libpcap. If anyone could answer it would be great.
My application uses pcap_next to get the packet and then processes it. Looking at pcap_next , the control goes to pcap_dispatch and then to pcap_read(). pcap_read() gets a bulk of data from the kernel and then stores in the libpcap buffer and processes it one packet at a time. So therefore pcap_next gets one packet at a time from the buffer. If the processing takes time when there is lot of packet coming to kernel (or to NIC) libpcap is not reading it from kernel unless these packets in the buffer are processed completely .. am i right ? So does the packet drops occur at the kernel ? How much capacity can kernel or NIC have usually (i know it is a vague question but what is the figure usually) And all in all there is 2 Queues involved that a packet will see ie at NIC and at libpcap. correct ? ------------------------------------------------------------------------ Also for pcap_read() function, which implementation is taken from pcap-bpf.c or pcap-BPF.c When i do a make i see that pcap-bpf.c is used. Then what is pcap-BPF.c ? what's the difference to pcap-bpf.c ? thanks Ashley - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
