tcpdump mailing list archives

Re: libpcap on Mac Os X 10.6 Snow Leopard

From: Guy Harris <guy () alum mit edu>
Date: Fri, 19 Feb 2010 10:30:47 -0800


On Feb 15, 2010, at 3:55 PM, Marco De Angelis wrote:

I have set the non-blocking mode to 0, expecting
the call to pcap_dispatch to hang when packets are not 
collected. But instead, I can see many printouts (Read 0 packets)
which indicate that the pcap_dispatch has exited when no
packets are dispatched. So, is the non-blocking mode bugged, or
am I understanding the modality in the wrong way?


Non-blocking mode is, indeed, buggy in Snow Leopard; a non-blocking read from a BPF device will return "no data 
available" unless the "store buffer" fills up.  It's also buggy in FreeBSD and DragonFly BSD, but, on 
sufficiently-up-to-date versions of those systems, *if* you do a select() on a BPF device():

        1) the select will return if the "store buffer" fills up *or* the timer expires;

        2) either of those two will cause the "store buffer" to be rotated to the "hold buffer", so a non-blocking read 
will return data.

Neither of those are true in Snow Leopard.  (The first of those isn't true in *any* OS X release - the select() only 
returns if the "store buffer" fills up - and is also not true in older versions of various BSDs.)

I've submitted bug reports for FreeBSD and DragonFly BSD; Matt Dillon said that he picked up my fix for DFly BSD.  I've 
also attached my fix to the OS X bug you filed.

A read on a BPF device that's *not* in non-blocking mode will block if no packets are available.  *However*, if you've 
set a timeout on the BPF device - as libpcap does if you specify a timeout in pcap_open_live(), or in 
pcap_set_timeout() before pcap_activate() - it won't block *forever*; if the timeout expires, and no packets have 
arrived, it'll return, saying no packets arrived.  *That's* why, even without turning non-blocking mode on, you 
*eventually* get "Read 0 packets" indications - you've set a timeout of 1 second.  However, the pcap_dispatch() call 
*will* block for a second.

Note that there is no guarantee that, on all platforms, pcap_dispatch() will return after the timeout expires even if 
no packets have arrived.  That is *not* the case on Solaris, for example, and it might or might not work on Linux.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Re: libpcap on Mac Os X 10.6 Snow Leopard, (continued)
- - - Re: libpcap on Mac Os X 10.6 Snow Leopard Carter Bullard (Feb 09)
    - Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 09)
    - Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 10)
    - Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 10)
    - Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 10)
    - Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 11)
    - Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 12)
    - Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 12)
    - Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 13)
    - Re: libpcap on Mac Os X 10.6 Snow Leopard Marco De Angelis (Feb 19)
    - Re: libpcap on Mac Os X 10.6 Snow Leopard Guy Harris (Feb 19)