Libpcap 1.5 Not Buffering Packets on Linux version 4.14?

[manswami23]

Hi,

I've been playing around with libpcap and trying to identify how the buffering logic works. My current version is 1.5.3, and linux kernel version is 4.14 (4.14.106-97.85.amzn2.x86_64).

My packet capture is pretty straightforward. I create a handle with the following settings:

• capturing on loopback interface
• promiscious=false
• immediate_mode=false
• buffersize=.5 GB
• timeout=60 seconds
• snapshot length = ~70000 bytes
• if it makes a difference, I have a filter for all SYN+data tcp packets on a specific port, e.g.

  tcp dst port 4000 and ((((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) >0) or (tcp[tcpflags] & tcp-syn != 0))

  I then call pcap_loop, with -1 as the packet count and a callback that just logs the number of discovered packets.

My understanding of how the buffering system in TPACKET_v3 works is that there are N blocks where N = buffer size / 256 KB. So with a buffer size of .5 GB, I should have ~2000 blocks, each of size 256 KB. Now, when packets are delivered to the buffer, my packet capture application shouldn't immediately read those packets. Rather, it only picks it up when the 256 KB block gets full, or the 60 seconds elapse.

However, when just doing some basic tests where I send roughly 100 bytes worth of packets, I noticed that my packet capture starts logging those packets. This has me confused, since the block shouldn't be full, and it's nowhere near the 60 second timeout. In fact, no matter what I do, it seems like the capture just operates in "immediate" mode.

On the flip side, if I run the same test on a different machine with the same libpcap version but on linux kernel version 3.10.0 (3.10.0-1160.92.1.el7.x86_64), I do see a delay where it takes 40-50 seconds for my callback to get triggered.

Is there something I'm maybe missing here? From what I've read, TPACKET_v3 is supported on both kernel versions.

(Sorry if this isn't the right forum for this, it's been a while since I've posted anything to github).

[infrastation]

libpcap 1.5.3 is more than 10 years old and Linux kernel 4.14 is more than 6 years old, is there any reason not to use more recent stable versions in your project?

[manswami23]

Thanks for responding.

Without going into the background of it, we'd like to run our packet capture on a legacy system. I doubt upgrading the kernel is feasible in the timeframe of our project.

On the flip side, we might be able to upgrade to a later version of libpcap. But still, I find it odd that everything works fine on an older 3.10 kernel.

Plus, I imagine that when 4.14 came out, libpcap 1.5 was probably more in use 🤷 . In which case, either people ran into this and didn't notice or this isn't a real issue and I'm just misconfiguring something on my end (which feels more likely lol). In either case, I'd like to understand what's happening before adding another line item to our roadmap to upgrade dependencies.