[Winpcap-users] Problems with using pcap_getevent

Gianluca Varenni gianluca.varenni at cacetech.com
Fri May 25 19:18:30 GMT 2007

  ----- Original Message ----- 
  From: Swaminathan Gurumoorthy 
  To: winpcap-users at winpcap.org 
  Sent: Thursday, May 17, 2007 3:26 PM
  Subject: [Winpcap-users] Problems with using pcap_getevent

  I am relatively new to using winpcap library. I am having issues with the Win32 extension pcap_getevent() API call.

  I have a windows application on my host system, asynchronously reading for ethernet type packets sent by another system (again using Winpcap SendPacket() function)  . I am waiting on an event that I am holding from the pcap_getevent() call. I also have my ethereal window open to confirm if my application is reading packets when they arrive.

  The problem is my application is not notified when the packet actually arrives. I looked through old archives and saw a note saying it is due to the kernel buffer being set to some high value. So I modified my open call to include PCAP_OPENFLAG_MAX_RESPONSIVENESS  flag. I was hoping this will ensure the event will be triggered as soon as the 

It's not related to the kernel buffer size, it's related to the mintocopy parameter. The kernel buffer doesnt influence the responsiveness (up to a certain extent, but that's a totally different story). What influences the responsiveness is the mintocopy, i.e. the number of bytes that should be available in the kernel buffer before the read event gets signalled.

  packet arrives. But it did not happen. I also realized that I can use the pcap_setmintocopy() to set the buffer value So I went ahead and set this value to a low number (less than my anticipated packet size). This lead to a different problem. I see that my host program is getting the event now but it gets a slew of duplicate packets. I can see my ethereal window on the host system show duplicates as well.

This is really weird. Do the duplicate packets have the same exact timestamp? Can you post a small snippet of the code that you use to receive the packets from the adapter? In particular, are you checking for the return value of pcap_next_ex (supposing you are using this API)?

  I am sure the client did not send all those duplicate packets becasue the ethereal window on the client system is showing only one packet. I also confirmed this by commenting out the pcap_setmintocopy() call and see only one packet on my host ethereal window (but not on my application).

  Am I doing something wrong here? The documentation says "use of pcap_getevent is discouraged because it is not portable" but mine is a pure windows app and I am not worried about portability.

  I also do not want to go to a polling mode using pcap_read_next and all that because I am using this in a thread which is waiting for other events as well. I hate to write yet another thread that will poll and send the event.

I assume by "pcap_read_next" you mean "pcap_next_ex". Right? In any case, pcap_next_ex is *not* a polling function, unless you set the timeout (in pcap_open_xxx) to a 0 timeout. It waits on the read event *and* for a maximum timeout time. The only reason why you would use your custom wait code obtaining the read event with pcap_getevent() and WaitForSingleObject/WaitForMultipleObjects is if you want to capture from multiple adapters on the same thread, or you want to wait to on multiple different events (e.g. a packet arrives and another totally unrelated event). In any other case I would stick with the pcap_next_ex function.

Hope it helps

  Any help will be much appreciated.


  Swaminathan Gurumoorthy
  1775 Milmont Dr, Apt S101
  Milpitas CA 95035
  Choose the right car based on your needs. Check out Yahoo! Autos new Car Finder tool. http://us.rd.yahoo.com/evt=48518/*http://autos.yahoo.com/carfinder/;_ylc=X3oDMTE3NWsyMDd2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDY2FyLWZpbmRlcg-- hot CTA = Yahoo! Autos new Car Finder tool


  Winpcap-users mailing list
  Winpcap-users at winpcap.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20070525/4ea72080/attachment.htm

More information about the Winpcap-users mailing list