[Winpcap-users] Timeouts and buffering for interactive, interruptible captures?

[Dirk Loss]

Hello,

I am porting an interactive packet sending and capturing application 
from Unix to Windows. Basically, we send packets and analyse the responses.

The original Unix version uses select() to wait for new packets before 
calling pcap_next_ex(). On Windows I use WaitForMultipleObjects() with a 
fixed 500ms timeout instead.

As the event seems to be signalled only if the kernel buffer is full, I 
use pcap_setmintocopy(0) to set this buffer to zero size. But now I seem 
to miss some packets if the time delta between two packets is low.

I also tried non-blocking I/O with pcap_setnonblock(1), but it does not 
seem to have any effect: pcap_next_ex() only returns after the next 
packet is received.

What is the right way to deal with this?
- The user should be able to interrupt the packet capture with Ctrl-C. 
So blocking I/O is only allowed if a maximum timeout (i.e. 500ms) can be 
given or Ctrl-C is honored internally.
- After each received packet we need to analyze it in order to decide if 
we have already got all responses or if we must continue receiving. This 
analysis is done in Python and might take some time (but less than 100s).
- What "to_ms" value shall I use? I experimented some time and now use 
to_ms=1 as Nmap does.
- Where shall packet buffering be done in this case (packet32, wpcap, 
application code)?

Any help would be appreciated.

Regards
Dirk


My Configuration:
Windows XP SP2
1 Ethernet interface
WinPcap 4.0.1 (packet.dll 4.0.0.901)
pypcap 1.1, customized to support pcap_setmintocopy()