[Winpcap-users] Is pcap_next_ex() buffer circular?

[Guy Harris]

On Sep 20, 2006, at 7:15 PM, Rich Detering wrote:

> Our application is to read "raw" (layer 2 type) Ethernet packets  
> being transmitted from proprietary hardware to a dedicated NIC in  
> the host computer.  The procedure is to setup a test condition in  
> the external hardware, read the data response contained in the  
> Ethernet packets with pcap_next_ex() then setup a new test condition  
> and read the data and so on.  There is significant time between  
> reads and the expectation is that a new pcap_next_ex() call would  
> return the most recent packets.  However, it looks like the 1 MByte  
> buffer created by pcap_next_ex()

Actually, the buffer is in the kernel and is created by the WinPcap  
driver.  pcap_next_ex() is just one of many routines that uses the  
platform's "read packets from the buffer" operation; pcap_dispatch(),  
pcap_next(), and pcap_loop() also use it.

> fills with data

That either means that

	1) the proprietary hardware is transmitting more data than your  
application can cope with, and if you want *all* the data you'll need  
to read more often

or

	2) you're capturing more data than you need, in which case you should  
probably consider not using promiscuous mode (if the packets are being  
transmitted to the NIC's MAC address) and perhaps using a filter (so  
you capture *only* the packets being sent from the proprietary  
hardware).

> then new data is ignored until calls to pcap_next_ex() pulls off old  
> data to "make room" for new data.
>
> If the pcap_next_ex() buffer is not circular,

The WinPcap buffer isn't circular.

> what's the best way to flush it in preparation for new data?

The best way is not to have to flush it in the first place.  Are you  
getting more packets than you need to get?