<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns:o = "urn:schemas-microsoft-com:office:office"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16735" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=h_uluoz@yahoo.com href="mailto:h_uluoz@yahoo.com">Hakan Uluoz</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Monday, December 01, 2008 6:16
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Winpcap-users] Using too many
pcap_t handles causes errors?</DIV>
<DIV><BR></DIV>
<DIV>Hi,</DIV>
<DIV> </DIV>
<DIV>I am building a Win 32 application pair to monitor the SIP flow on a
gateway. Basically the machine running the monitor applications is connected
to a hub with the gateway. Main application monitors the SIP flow and runs
sub-applications according to the SIP informations. Sub-applications monitor
the RTP flows on forward and reverse directions. So all sub-applications have
2 pcap_t handles plus the main has 1. All have unique filters on the same
adapter. Yes, the sub-applications are better be threads but there are
some other restrictions irrelevant to wpcap that forces me to make them as
applications.</DIV>
<DIV> </DIV>
<DIV>The machine runs on Win XP 32 bit with 2 GB of ram, with all unnecessary
services removed. Applications run smooth on around 60 channels ( that
makes 60*2 + 1 => 121 handles ). But when the channel count
exceeds this boundry, findalldevs and open_live starts to fail. The errors are
generally :</DIV>
<DIV> </DIV>
<DIV class=MsoNormal><SPAN style="COLOR: black">Error in pcap_findalldevs:
PacketGetAdapterNames: ERROR_INSUFFICIENT_BUFFER(122)</SPAN></DIV><SPAN
style="COLOR: black">
<DIV class=MsoNormal><SPAN style="COLOR: black"></SPAN> </DIV>
<DIV class=MsoNormal><SPAN style="COLOR: black">Unable to open the
adapter. <adapter> is not supported by WinPcap - errbuf
:(NULL)</SPAN></DIV>
<DIV class=MsoNormal><SPAN style="COLOR: black"></SPAN> </DIV>
<DIV class=MsoNormal><SPAN style="COLOR: black">Unable to open the adapter.
<adapter> </SPAN><SPAN style="COLOR: black">is not supported by WinPcap
- errbuf : Cannot determine the network type(0)</SPAN></DIV>
<DIV class=MsoNormal><SPAN style="COLOR: black"></SPAN> </DIV>
<DIV class=MsoNormal><SPAN style="COLOR: black">And mostly :</SPAN></DIV><SPAN
style="COLOR: black">
<DIV class=MsoNormal><SPAN style="COLOR: black">Unable to open the adapter.
<adapter> is not supported by WinPcap - errbuf : driver error: not
enough memory to allocate the kernel buffer</SPAN><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'">
<o:p></o:p></SPAN></DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p> </o:p></SPAN></DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000>First observations showed that when the total memory
consumptions exceed 1GB errors start. Thought to be a paging issue and
disabled paging but did not give a cure. As there is around 1 GB free physical
ram available, I focussed on the kernel memory usage, and found that the
errors start as soon as the non-paged kernel memory usage reaches around 256
MB ( which is the limit for all Win 32 versions AFAIK ). Besides the CPU usage
is very acceptable under all circumstances.</FONT></o:p></SPAN></DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p></o:p></SPAN> </DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000>Can anyone clarify the reason for these errors I am getting? Is
it memory, handle limitations? And I'd be thankful on suggestions on a
solution. I already admit that everything has a limit but a way to tripple or
double the channel count ( e.g. monitoring 180-120 channels ) would be quite
useful.</FONT></o:p></SPAN></DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000></FONT></o:p></SPAN> </DIV></BLOCKQUOTE>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000>The problem is non paged pool exaustion: every capture instance by
default uses a 1MB kernel buffer that is allocated from the non paged pool, plus
some kB for the internal structures (I don't remember exactly how many).
</FONT></o:p></SPAN></DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000>Several solutions come to my mind:</FONT></o:p></SPAN></DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000>- after you open the adapter with pcap_open_live, set the kernel
buffer size to a smaller one (with pcap_setbuff).</FONT></o:p></SPAN></DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000>- redesign your application so that you open less pcap_t handles
and then dispatch the packets to different threads</FONT></o:p></SPAN></DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000>- use a 64bit machine.</FONT></o:p></SPAN></DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000></FONT></o:p></SPAN> </DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000>Have a nice day</FONT></o:p></SPAN></DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000>GV</FONT></o:p></SPAN></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000></FONT></o:p></SPAN> </DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000></FONT></o:p></SPAN> </DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000>As a note I am using the WinPcap 4.0.2.
</FONT></o:p></SPAN></DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p></o:p></SPAN> </DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000>My best regards,</FONT></o:p></SPAN></DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p></o:p></SPAN> </DIV>
<DIV class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><o:p><FONT
color=#000000>Hakan.</FONT></o:p></SPAN></DIV><o:p></o:p><o:p></o:p></SPAN><o:p></o:p></SPAN>
<P>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>