[Winpcap-users] WinPcap and Netork Line Tap

Buffalo Bob Buffalo.Bob at comcast.net
Sun Aug 12 16:01:53 GMT 2007 

Hello,



I have been doing some experimenting using WinPcap to read packets from a non-aggregating network line tap. This tap provides two feeds from one network cable to two network interface cards. It splits the bidirectional network traffic into two separate streams, north bound and south bound.



I have tried several methods of re-combining the two streams back into one, but have not 100 percent success. The traffic on the network that I am analyzing is of the Request : Response type. The problem that I am having is that occasionally the application receives a Response before it receives its matching Request, and therefore the Response gets discarded. The timestamps on the pcap headers are correct, the packets are coming from the line tap into the driver correctly, but the driver is delivering them to my application out of order. 



The method that has achieved the best success so far is as follows : 

Using two threads, one reading from each adapter, here is the code flow -

 

AdapterHandle = pcap_open_live(

                               Device->name,

                               2048, 

                               PCAP_OPENFLAG_PROMISCUOUS,

                         -1, 

                               ErrorBuffer);

 

pcap_setmintocopy(AdapterHandle, 1); 

 

Events[0] = ShutdownSemaphore;            // set when application stops 

Events[1] = pcap_getevent(AdapterHandle);

 

while (TRUE)

{

  EN = WaitForMultipleObjects(2, &Events[0], FALSE, INFINITE);

 

  if (EN == WAIT_OBJECT_0 + 1)

  {

    RV = pcap_next_ex(AdapterHandle, 

                                    &Header, 

                                    (const unsigned char **) &Data);

  }

  else if (EN == WAIT_OBJECT_0)

  {

    break;

  }

 

// process the data

…

…

}  //  while (TRUE)

 

 

The application must process tens of thousands of packets per second, so that reordering the packets by timestamp is not possible. 

 

Does anyone have any suggestions on how to guarantee that my application will receive the packets in the correct order ?  Thank you.



Best regards,



Bob


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20070812/e6d556e2/attachment.htm

More information about the Winpcap-users mailing list