Libpcap corrupts output

[Cove Schneider <cove () wildpackets com>]

Hello,

I have a problem where my app pipes the output of tcpdump over a  
network connection and on slower connections it appears that libpcap  
sometimes doesn't write out the whole packet data segment. I believe  
this is being caused by the lack of error checking in pcap_dump():

(0.9.4) savefile.c
   1167 void
   1168 pcap_dump(u_char *user, const struct pcap_pkthdr *h, const  
u_char *sp)
   1169 {
   1170         register FILE *f;
   1171         struct pcap_sf_pkthdr sf_hdr;
   1172
   1173         f = (FILE *)user;
   1174         sf_hdr.ts.tv_sec  = h->ts.tv_sec;
   1175         sf_hdr.ts.tv_usec = h->ts.tv_usec;
   1176         sf_hdr.caplen     = h->caplen;
   1177         sf_hdr.len        = h->len;
   1178         /* XXX we should check the return status */
   1179         (void)fwrite(&sf_hdr, sizeof(sf_hdr), 1, f);
   1180         (void)fwrite((char *)sp, h->caplen, 1, f);
   1181 }

As far as I can tell fwrite() will occasionally write short. I'm  
assuming because my pipe is "backed up" and libpcap can't write  
anymore data to it (though I would expect it to block in that case,  
so I'm not really sure what's causing it to temporarily write short  
data).

Is there any plan to change this behavior? It would be useful to me  
if it retried and wrote out the rest of the data, since I'm going to  
lose packets anyway, it would be nice if the output wasn't corrupted  
too.

Any info appreciated.

Thanks,

Cove




-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.