On Fri, Feb 07, 2003 at 06:31:31AM -1000, Ryan Mooney wrote:
> What about if you did it as a threaded program and spawned new threads
> to match the new sessions.
If the new threads are doing their own "pcap_open_live()" calls, then
1) you run the risk of running out of BPF devices on some
platforms;
2) you *still* aren't guaranteed to see the first packet of the
session, as that packet might have arrived before that thread
starts.
> This would likely require some cleverness
> to get decent performance (thread pre-spawning,
Even if you pre-spawn the thread, it'd have to pre-open the capture
session *and* start sniffing - but you'd have to capture without a
filter until you know what the filter is, in which case setting the
filter will discard already-captured packets.
> A simular alternative would be to hack go into a big select loop on N
> bpf's
Same problem (plus "select()" doesn't work right on BPF devices on many
versions of BSD, although there are workarounds; on platforms that don't
use BPF, select works on the UNIXes, but there's a WinPcap bug that
causes a bogus handle to be returned by "pcap_getevent()" on Windows NT
(NT 4.0, 2K, XP) in current versions of WinPcap - I think it's fixed in
the 3.0 alpha/beta).
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
