tcpdump mailing list archives

reading a live pcap file in real time

From: Giovanni Venturi <giovanni () ksniffer org>
Date: Tue, 3 Mar 2009 00:42:33 +0100

Hello,
I'm using libpcap 3.9.8. I made a GUI application under KDE that when I ask to 
start sniffing packets from the network, than it starts another application 
(not a GUI) that captures all the packets and write them into a file.
From the GUI I have under control the file it writes. And I use

while (m_canSniff)
{
  ...
  result = pcap_next_ex( ... )
  ...
}

to know if there are new packets into the file. If I got result == -2 than I 
got no packet, else I got a packet and than I put it into the GUI view.
I stop the GUI thread on the pcap file when m_canSniff become false. It 
becames false when the backend "daemon" stops capturing packets. I got the 
end signal of the process thank to KProcess class and than I set m_canSniff 
to false.

Is it correct this method? Is there some problem in it?

Because very often I got less packets or more packets of what I requested. I 
programmed the "daemon" in way that it stops when it gots 70000 packets, for 
example. On the GUI I get ~71900 packets. I don't know where comes from the 
others 1900 packets, because if I open the pcap file I fonund in it 70'000 
packets perfectly. Other times I get less than 70'000 packets, about 500 
packets less. I added an if statement:

if ((result != -2) && (result > 0))
  put the packet into the view...


Where does this problems come from? The problem is querying a pcap file that 
change in real time or a more big trouble in my sorce code. I've got this 
problem from various versions. What do you suggest me?

The project is into the KDE svn:

http://websvn.kde.org/trunk/playground/network/ksniffer/

Please try to let me understand where should be the problem. I know the code 
is not so easy in my project, but if you know about an issue on libpcap in 
the way I get the live sniffing let me know.
Thank you for your attention,
Giovanni Venturi

-- 
A KDE Italian translator and KSniffer core developer
Slackware GNU/Linux current version - kernel 2.6.28.7
KSniffer Project - http://www.ksniffer.org/
KDE Italia - http://www.kde-it.org/

Attachment: signature.asc
Description: This is a digitally signed message part.

Current thread:

reading a live pcap file in real time Giovanni Venturi (Mar 03)
- Re: reading a live pcap file in real time Guy Harris (Mar 03)
  - Re: reading a live pcap file in real time Guy Harris (Mar 03)
- <Possible follow-ups>
- reading a live pcap file in real time Giovanni Venturi (Mar 03)