Thanks for your indepth explanation! Now I understand whats going on,
and I also found where I can change this in the code...
I was using Windows and winpcap.
Guy Harris wrote:
Arik Dasen wrote:
Hi all
I'm piping the tethereal output (packet summary) to my app. The
documentation says that I can use the '-l' option to force a flush, so
that I have the packet immediatly after dissecting. But this doesn't
seem to work. When I timestamp the output in my app I noticed that I
get a bunch of packets roughly every 1s...
On what operating system are you running Tethereal?
On some operating systems, the packet capture mechanism provided by the
OS, and used by libpcap (the library Ethereal and Tethereal use to
capture network traffic) supports "batching" of packets, so that, in a
single system call to retrieve packets from that mechanism, a large
batch with multiple packets can be read, rather than just one packet.
This reduces the CPU overhead for heavy network traffic.
The batching mechanism includes a timeout; if the buffer for the batch
fills, *or* the timeout expires, the batch is delivered to the application.
In some OSes, the timer starts as soon as a read is done, so that the
timer could expire even if no packets have arrived; in other OSes, the
timer starts when the first packet arrives, so at least one packet is
delivered.
In either case, if not a lot of traffic is being captured, there could
be a delay equal to the timeout (on OSes of the first type) or greater
than the timeout (on OSes of the second type) before a packet is seen.
The timeout Tethereal uses is...
...1000 milliseconds (those are the units of the timeout in libpcap), or
1 second.
The BSDs (FreeBSD, NetBSD, OpenBSD, DragonFlyBSD, BSD/OS, Mac OS
X/Darwin), and Windows when WinPcap is used, are OSes of the first type;
Solaris is an OS of the second type. Digital/Tru64 UNIX is one of those
types, but I don't remember which.
If an API were added to libpcap to support changing the timeout (I think
most of those OSes support support that, although I'm not sure whether
it'd work in Windows with WinPcap), Tethereal (and tcpdump, which also
uses a 1-second timeout), or libpcap, could, in theory, adjust the
timeout based on how many packets arrive per batch, so that if traffic
is arriving slowly, a short timeout would be used, and if it's arriving
fast a larger timeout would be used. Doing this right, so that you
don't, for example, make the timeout oscillate (requiring a system call
for *every* timeout change), or dropping packets because the timeout is
too short and you spend too much time making system calls to read
buffers without many packets, would involve more work, however, so this
is unlikely to happen any time soon unless somebody who wants it and
knows how to make it work does so and contributes code to do so.
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
--
----------------------------------------------------------------
Arik Dasen - Senior Software Engineer
SwissQual AG - Gewerbestrasse 2 - CH-4528 Zuchwil - Switzerland
mobile: +41 79 614 70 14 / Fax: +41 32 685 08 31
----------------------------------------------------------------
<mailto:arik.dasen@xxxxxxxxxxxxx>
----------------------------------------------------------------
****************************************************************
The information in this e-mail is confidential and may be gally
privileged. It is intended solely for the addressee(s). It may
contain privileged and confidential information. If you are not
the intended recipient, please destroy this message and notify
us immediately. Any disclosure, copying or distribution of this
message is prohibited and may be unlawful.
****************************************************************
