-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The Npcap API documentation mentions an apparently non-existent pcap_setuserbuffer() routine #1327
Comments
It was upstreamed to the-tcpdump-group/libpcap. I agree that |
That's not overloading it, that's fixing it. I'm not even sure what the point of having the userspace buffer size being different from the kernel buffer size is. |
"It" and "upstreamed" in what sense? |
Unless you can think of a compelling reason why the userspace buffer size shouldn't start out as being the same as the kernel buffer size (in which case, please list it here), please do upstream that issue by filing either an issue or a pull request against libpcap. |
And, given that WinPcap has |
And, given that libpcap already had (Is that what you mean by "upstreamed"? It was added because it already was in WinPcap 4.1.3, and possibly earlier, even if they didn't document it.) |
Yes, that's what I meant; libpcap 1.8.1 already includes So my recommendation would be:
Does this sound appropriate? |
That's because I was thinking of BPF (as in "the capture mechanism in *BSD, macOS, Solaris 11, and AIX", not as in "the filtering mechanism"), which has two buffers, with packets added to one buffer - the "store buffer" - and read from the other - the "hold buffer" - with the buffers swapped if the store buffer is full and the hold buffer is empty. The only size that can be specified with BPF is the size of the buffers (they're the same size), and a read from the hold buffer returns the entire buffer, so there's no point in the user buffer being any size other than the kernel buffer size. This also means that a wakeup is delivered when the full kernel buffer is, in effect, half-full, i.e. when the store buffer fills up and is rotated to become the hold buffer. (It's also delivered when the timeout expires.) NPF, at least as I read the documentation and read^Wskim the code, has a single buffer, with the writer adding packets to the tail and the reader consuming packets from the head. It has two kernel sizes - the buffer size and the "minimum to copy" size. Unless the "minimum to copy" size is sufficiently smaller than the buffer size, with a sufficiently high rate of packet data being captured there's probably a significant risk of the wakeup occurring when there's insufficient time to drain the packet buffer before it overflows. In this model, the appropriate size for the user buffer is probably something between the "minimum to copy" size and the kernel buffer size. If it's just the "minimum to copy" size, you run the risk that you're not getting all the available packets once you wake up - packets that arrive after the wakeup won't be seen. If it's the kernel buffer size, you may, in practice, be wasting memory, as the buffer probably will rarely, if ever, be completely full when you do the read (if it is completely full, there's probably a good chance that you're dropping packets). |
These issues have been resolved. |
The Npcap API documentation mentions a
pcap_setuserbuffer()
routine; that appears to be present in WinPcap 4.1.3, but doesn't appear to be in tip of the master branch of the Npcap Git repository. Was it removed?(If
pcap_create()
,pcap_set_buffer_size()
, andpcap_activate()
are used, the user-mode buffer is large enough to handle that kernel buffer size, sopcap_setuserbuffer()
is not necessary; I'm not sure whetherpcap_setbuff()
andpcap_setuserbuffer()
need to be used together, but, whether it is or isn't,pcap_set_buffer_size()
is what should be used in any code written for libpcap 1.0 or later and for Npcap.)The text was updated successfully, but these errors were encountered: