[Winpcap-users] How to ensure all packets are captured

Gianluca Varenni gianluca.varenni at cacetech.com
Mon Aug 10 12:49:56 PDT 2009 

Moving the processing code in a separate thread may or might not help. If you move the processing on a different thread and use a FIFO/linked list to pass the packets among the threads, you will need to copy the packets in your own allocated buffer. Copying a packet is extremely fast, but it makes sense only if your packet processing code is much more CPU intensive than copying the packet itself. Also, using a different thread makes sense if you run on a multicore machine, where basically you can use both the CPUs.
If you go this way, remember to preallocate and reuse the buffers in which you copy the packets, do not allocate a new buffer whenever you receive a packet.

Hope this helps
GV

  ----- Original Message ----- 
  From: Denis Kourktchan 
  To: winpcap-users at winpcap.org 
  Sent: Sunday, August 09, 2009 1:05 PM
  Subject: [Winpcap-users] How to ensure all packets are captured


  Hi Everybody,

   

  I am writing an application that is intercepting packets from a network and after reading a whole lot of posts regarding lost messages I figured the fault is usually in application taking too long to process a batch of packets which causes the overfilled buffer to replace oldest messages. So I decided that the following setup is the best possible way to ensure that my messages are not lost.

   

  1.       Put capture (using pcap_next_ex()) into a different thread then the processing.

  2.       Store packets immediately upon extraction into a custom written linked list, adding to the end and processing from the front (in different threads) ensuring no mutex controls are necessary and no idle time.

   

  Now here is the problem for which I need your expert advice, since the pcap_next_ex() returns pointers to data, I still need to extract them (I use for loop) before I can store which still preoccupies the capture thread and slows down extraction process. So is there a better way to extract packets without this delay?

   

  I would appreciate any and all advice regarding the optimal solution architecture wise.

   

  Regards,

   

  -          Dennis 

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   



------------------------------------------------------------------------------


  _______________________________________________
  Winpcap-users mailing list
  Winpcap-users at winpcap.org
  https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090810/06ab2563/attachment.htm

More information about the Winpcap-users mailing list