We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-dev: Re: [Wireshark-dev] Triggers

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 10 Apr 2008 14:03:48 -0700
Luis EG Ontanon wrote:
I did not notice those replies to the bug.. Nice... I'll take a look...

 I wasn't neither aware of pcap_get_selectable_fd() and that may be
 because http://gd.tuwien.ac.at/infosys/security/tcpdump.org/pcap3_man.html
 does not show it... (Guy?)

I added it; I forget which release I added it in.

The problem is that the FD for the capture is not always selectable - for example, the DAG driver doesn't support select(). That's why I added it; it could well return -1, which means "sorry, you can't do select on this".

I've added notes on that to the bug.

 Windows does not implement it as  does not even have selectable fds or
 at least the one select() in winsock does not work on FDs so for
 WinPcap another approach should be taken (Gianluca?)

I *should* be possible to get the handles for the capture streams with pcap_getevent(), and WaitForMultipleEvents().

I don't know whether that works with AirPcap adapters, however.

 I did not notice the load-peak while playing with it but I believe I
 should have felt it in my very slow PPC mac...  do pcap_dispatch works
 differently in linux and bsds? (Guy?)

The main difference is that Linux, unless you're using the memory-mapped capture mechanism (supported by the under-development libpcap 1.0), you get one packet per recvfrom() call, while in OS X and *BSD, BPF will buffer up packets until the buffer fills up or the timeout expires, so you can get multiple packets per read().