On Thu, Jul 18, 2002 at 08:05:23PM +0530, Y Sreenivasulu wrote:
> But still savefile is being closed properly and packets
> can be read from it later using tcpdump -r option. How is this possible?
> How are the pcap_dump_close and pcap_close called from 'cleanup' and from
> where ?
They're not called.
What "pcap_close()" does is:
if you're reading from a saved capture, "fclose()" the standard
I/O stream being used for reading, and free up a private data
structure - and, on Linux, call a routine that, if the old
SOCK_PACKET capture mechanism is being used, turns off
promiscuous mode;
if you're doing a libe capture, close the file descriptor for
the device/socket on which the capture is being done, and free
up the buffer into which stuff is read from that file
descriptor;
and then free up any filter program and the "pcap_t" itself.
When a program exits, its entire address space is freed, so the fact
that none of the frees done by "pcap_close()" are done is irrelevant.
In addition, all open file descriptors are closed, so the fact that
that's not done by "pcap_close()" is irrelevant.
Furthermore, all "fclose()" does, on a file open for reading, is free up
some data structures and close a file descriptor, so the fact that
that's not done by "pcap_close()" is also irrelevant.
The only thing that'd matter would be the stuff done on linux with the
old SOCK_PACKET capture mechanism; however, if the program is exiting by
calling "exit()" or returning from "main()" (which is what happens if
you do a ^C), any routines registered with "atexit()" will be called,
and one of those is a routine to do the same cleanup.
Besides, if you're using either the libpcap that came with RH 7.0, or
libpcap 0.7.1 built on your RH 7.0 machine, you won't be using that old
capture mechanism anyway, as you aren't using a 2.0[.x] kernel - 2.2
introduced a new packet capture mechanism, and just closing the file
descriptor handles the promiscuous-mode cleanup.
And what "pcap_dump_close()" does is just do an "fclose()" on the
standard I/O stream used for writing - but, if the program is exiting by
calling "exit()" or returning from "main()", an "fclose()" is done on
all the open standard I/O streams, so the fact that "pcap_dump_close()"
doesn't do that is irrelevant.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
