<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-3">
<STYLE type=text/css>DIV {
MARGIN: 0px
}
</STYLE>
<META content="MSHTML 6.00.6000.16762" name=GENERATOR></HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=h_uluoz@yahoo.com href="mailto:h_uluoz@yahoo.com">Hakan Uluoz</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, December 11, 2008 11:12
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Winpcap-users] Using too many
pcap_t handles causes errors?</DIV>
<DIV><BR></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV>Hi ,</DIV>
<DIV> </DIV>
<DIV>Gianluca thanks for the info and suggestions, as far as I understand the
non-paged kernel pool is the source of my problems. Yes, at first stage I
thought a master thread for capturing and workers for processing, but hence
this application is realtime ( or let's say near-realtime ) the results ( at
least on win systems ) were worse ( though I did not make a complete protocol
etc analysis on the packets ) as analysis results were much sooner than the
events. As I said I have no trouble with the processor power so running all
analysis threads paralely gives me the results as the expected events
occur.</DIV>
<DIV> </DIV>
<DIV> Tried decreasing the mem usage with pcap_setbuff but I did not see
any +/- ( honestly I did not test this issue completely , I promıse I'll test
it by lowering to 256 KB which I think will be more then enough since RTP
packets I am collecting is around 60-70 bytes including protocol overhead).
</DIV>
<DIV> </DIV>
<DIV>Finally, as you suggested I decided to swap to a 64 bit OS, paralelly
porting the applications to linux. Natively 64 bit Win OSes do not have the
strange 256 MB kernel pool limit, AFAIK the limit is far beyond GBs. One point
I need to know is results of using an 32bit dll or application on a 64 bit os(
I cannot find the wpcap.dll or libs 64 bit version ). If you are
experienced on this topic, will "using 64 bit os and running same
applications on it ( or converting the applications to 64 bit but the
wpcap.dll will be still 32 bit )" be enough to avoid the kernel
limitation, or still the WoW64 emulation limits you to 256 MB pool? If
second is the reality, then compiling a 64 bit version of the pcap lib and/or
dlls will be the only solution. </DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV></DIV></BLOCKQUOTE>
<DIV><FONT face="Courier New" size=2>When you work on a 64bit OS (I mean
x64/EM64T), all the kernel components must be 64bit. But the user
level components can be 32- or 64bit. Even if the application is 32bit, the
WinPcap driver is 64bit, so there is no 256MB limitation on the nonpaged
pool.</FONT></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><FONT
face="Courier New" size=2></FONT> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><FONT
face="Courier New" size=2>Regarding a 64bit version of the user level
components, there's an experimental build of them here</FONT></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><FONT
face="Courier New" size=2></FONT> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><A
href="http://www.winpcap.org/install/x64.htm">http://www.winpcap.org/install/x64.htm</A></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><FONT
face="Courier New" size=2></FONT> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><FONT
face="Courier New" size=2>and I plan to release a new 4.1beta version by the end
of the year that includes both 32- and 64- user level components (and associated
lib files).</FONT></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><FONT
face="Courier New" size=2></FONT> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><FONT
face="Courier New" size=2>Have a nice day</FONT></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><FONT
face="Courier New" size=2>GV</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><FONT
face="Courier New" size=2></FONT> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><FONT
face="Courier New" size=2></FONT> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">My
best regards and again thanks for the suggestions.</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Hakan.</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Hi,<BR><BR>
I am building a Win 32 application pair to monitor the SIP flow on a gateway.
Basically the machine running the monitor applications is connected to a hub
with the gateway. Main application monitors the SIP flow and runs
sub-applications according to the SIP informations. Sub-applications monitor
the RTP flows on forward and reverse directions. So all sub-applications have
2 pcap_t handles plus the main has 1. All have unique filters on the same
adapter. Yes, the sub-applications are better be threads but there are some
other restrictions irrelevant to wpcap that forces me to make them as
applications.<BR><BR> The machine runs on Win XP 32 bit with 2 GB of
ram, with all unnecessary services removed. Applications run smooth on around
60 channels ( that makes 60*2 + 1 => 121 handles ). But when the channel
count exceeds this boundry, findalldevs and open_live starts to fail. The
errors are generally :<BR><BR> Error in pcap_findalldevs:
PacketGetAdapterNames: ERROR_INSUFFICIENT_BUFFER(122)<BR><BR> Unable to
open the adapter. <adapter> is not supported by WinPcap - errbuf
:(NULL)<BR><BR> Unable to open the adapter. <adapter> is not
supported by WinPcap - errbuf : Cannot determine the network
type(0)<BR><BR> And mostly :<BR> Unable to open the adapter.
<adapter> is not supported by WinPcap - errbuf : driver error: not
enough memory to allocate the kernel buffer <BR> <BR>
First observations showed that when the total memory consumptions exceed 1GB
errors start. Thought to be a paging issue and disabled paging but did not
give a cure. As there is around 1 GB free physical ram available, I focussed
on the kernel memory usage, and found that the errors start as soon as the
non-paged kernel memory usage reaches around 256 MB ( which is the limit for
all Win 32 versions AFAIK ). Besides the CPU usage is very acceptable under
all circumstances.<BR> <BR> Can anyone clarify the reason
for these errors I am getting? Is it memory, handle limitations? And I'd be
thankful on suggestions on a solution. I already admit that everything has a
limit but a way to tripple or double the channel count ( e.g. monitoring
180-120 channels ) would be quite useful.<BR><BR>The problem is non paged pool
exaustion: every capture instance by default uses a 1MB kernel buffer that is
allocated from the non paged pool, plus some kB for the internal structures (I
don't remember exactly how many). <BR>Several solutions come to my mind:<BR>-
after you open the adapter with pcap_open_live, set the kernel buffer size to
a smaller one (with pcap_setbuff).<BR>- redesign your application so that you
open less pcap_t handles and then dispatch the packets to different
threads<BR>- use a 64bit machine.<BR><BR>Have a nice
day<BR>GV<BR><BR> <BR> As a note I am using the WinPcap
4.0.2. <BR> <BR> My best regards,<BR> <BR>
Hakan.<BR></DIV><BR>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>