[Winpcap-users] about pcap_stat data fields

[Gianluca Varenni]

----- Original Message ----- 
From: "Renato Araújo Ferreira" <marina.peixe at terra.com.br>
To: <winpcap-users at winpcap.org>
Sent: Sunday, December 28, 2008 10:30 AM
Subject: [Winpcap-users] about pcap_stat data fields


> Hello all,
>
> I have some doubts about pcap_stat struct as follow:
>
> - Which kinds of packet drop 'ps_drop' counts? Packet discarded by filter 
> (pcap_compiler), performance bottlenecks (full kernel buffer) or both?

Dropped because the kernel buffer is full.

>
> - Is 'ps_capt' a simple difference between 'ps_recv' and 'ps_drop'? Why 
> this field exists?

ps_capt accounts for the number of packets that have been accepted by the 
filter *and* processed by the application.
ps_capt is always less or eual to ps_recv-ps_drop, since some packets can be 
still stored in the internal buffer and not been delivered to the 
application, yet.


>
> - Is 'ps_netdrop' field the total of packets lost before they reach the 
> local NIC? How the system or winpcap could know this value?

That counter makes sense only in the case of remote capture. When remote 
capture is used and UDP is the chosen transport, this counter accounts for 
the number of packets that were lost between the remote probe and the local 
machine.


>
> - And, finaly, can I safely define HAVE_REMOTE to access the 'ps_capt' and 
> 'ps_netdrop' fields?

As I said, ps_netdrop is useful only in the case of remote capture. And yes, 
you can safely define HAVE_REMOTE to access such fields.

GV

>
> Could someone help me?
>
> Thanks,
>
> Renato A. Ferreira
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users