Support for pcap_set_buffer_size ?

[ioguix]

Hello,

According to the Net::Pcap doc, pcap_setbuff is available only on WinPcap library. However, it seems to me pcap function "pcap_set_buffer_size" achieve the same goal on UNIX plateforms.

At least this function is used by tcpdump to answer its -B parameter.

Is there any reason this function is not available on UNIX plateform in Net::Pcap ?

Maybe I could work on a patch if you are agree to include it in a future release ?

Thanks !

[maddingue]

Jehan-Guillaume (ioguix) de Rorthais wrote:

Hello,

Hello,

According to the Net::Pcap doc, pcap_setbuff is available only on WinPcap library. However, it seems to me pcap function "pcap_set_buffer_size" achieve the same goal on UNIX plateforms.

At least this function is used by tcpdump to answer its -B parameter.

Is there any reason this function is not available on UNIX plateform in Net::Pcap ?

No reason except that I didn't work enough on Net::Pcap over the last years, and that the Perl API surely lags behind the Unix API, which seems to have included functions from WinPcap.

Maybe I could work on a patch if you are agree to include it in a future release ?

I would gladly accept a patch for this :)

Sébastien Aperghis-Tramoni

Close the world, txEn eht nepO.

[ioguix]

Ok,

I start looking at this issue and I face a small issue. Function "pcap_set_buffer_size" can be called ONLY on a non-activated pcap. Which means that under Unix platforms, we need to do :

p = pcap_create(device, errbuf);
pcap_set_snaplen(p, snaplen);
pcap_set_promisc(p, promisc);
pcap_set_timeout(p, to_ms);
pcap_set_buffer_size(p, dim);
pcap_activate(p);

We have two options:

• adding a "buffsize" parameter to pcap_open_live()
• when not WPCAP, use pcap_create and pcapset* functions from pcap_open_live, so the user can still call pcap_setbuff() BEFORE any pcap functions dispatch/loop/next calls, and activate the pcap from this functions.

In my opinion, the first option is probably the easiest and cleaner one, even if it breaks the analogy between real the pcap function and the Net::Pcap one.

Thoughts ?

[ioguix]

Mh, there's a third option:

create pcap_create, pcap_set_snaplen, pcap_set_promisc, pcap_set_timeout, pcap_set_buffer_size and pcap_activate functions, specific to the Unix platforms...

[ioguix]

Before creating a new pull request, here is a patch to review which just add native functions to Net::Pcap: 03a61f2e3e19697ac0e2192440c696cf65f8f140

I tested this exact same bunch of functions on a project of mine, and it sounds to works quite well. Setting the buffer to 100MB allowed me to capture/process an intensive traffic (on localhost) with no packet dropped.

[ioguix]

Hey,

Any news on this patch ?

According to its changelog, these functions has been added in 2008 to winpcap. See: http://www.winpcap.org/misc/changelog.htm#changelog_4_1b4

However, it seems they stayed undocumented...

Anyway, with these functions in Net::Pcap, devs can at least test the plateforme name and pick the appropriate mathods to start a live capture. Or, wa can provide them a wrapper...

Thoughts ?

[twilde]

The patch looks reasonable to me; can you add some tests for the new functions and then issue a pull request?

Thanks, Tim

[solemnwarning]

Is there any chance of #2 getting merged?

I'm having issues with using Net::Pcap on Linux as of libpcap 1.50 and the solution is to put the capture into immediate mode (See https://github.com/the-tcpdump-group/libpcap/issues/1220).