[Winpcap-users] can I change a filter during capture with WinPCapwithout losing packets?
Gianluca Varenni
gianluca.varenni at cacetech.com
Mon Aug 23 16:28:48 PDT 2010
The problem is not the swap time. The problem is that immediately before the
swap, the kernel ring buffer holding the packets in the driver is emptied.
If the application didn't process all the packets (or for example the
application set a high timeout and high mintocopy value), then those packets
would be lost. It's a sort of corner case, but you need to be aware of it.
Have a nice day
GV
--------------------------------------------------
From: "Greg Hauptmann" <greg.hauptmann.ruby at gmail.com>
Sent: Sunday, August 22, 2010 1:44 PM
To: <winpcap-users at winpcap.org>
Subject: Re: [Winpcap-users] can I change a filter during capture with
WinPCapwithout losing packets?
> thanks - I guess for a situation where a few dropped packets is ok it
> would be much easier to just change the capture filter and potentially
> drop a few packets - would it be correct to assume the swap over time
> should be quite small, e.g. < 1sec for example?
>
>
> On 20 August 2010 06:51, Gianluca Varenni <gianluca.varenni at cacetech.com>
> wrote:
>> Yes, you can definitely open two capture instances at the same time.
>>
>> Have a nice day
>> GV
>>
>> --------------------------------------------------
>> From: "Greg Hauptmann" <greg.hauptmann.ruby at gmail.com>
>> Sent: Thursday, August 19, 2010 1:44 PM
>> To: <winpcap-users at winpcap.org>
>> Subject: Re: [Winpcap-users] can I change a filter during capture with
>> WinPCapwithout losing packets?
>>
>>> thank GV,
>>>
>>> How about have a second instance of WinPCap capturing packets in
>>> parallel with the new filter for a short time, and then kill off the
>>> initial one? Would WinPCap support this?
>>>
>>> thanks
>>>
>>>
>>> On 20 August 2010 03:55, Gianluca Varenni
>>> <gianluca.varenni at cacetech.com>
>>> wrote:
>>>>
>>>>
>>>> --------------------------------------------------
>>>> From: "Greg Hauptmann" <greg.hauptmann.ruby at gmail.com>
>>>> Sent: Tuesday, August 17, 2010 6:53 PM
>>>> To: <winpcap-users at winpcap.org>
>>>> Subject: [Winpcap-users] can I change a filter during capture with
>>>> WinPCapwithout losing packets?
>>>>
>>>>> Hi,
>>>>>
>>>>> Can I change a filter during capture with WinPCap without losing
>>>>> packets? Does WinPCap support this?
>>>>
>>>> No. When you change the filter, all the packets stored in the kernel
>>>> buffer
>>>> at that specific time are dropped.
>>>>
>>>> Have a nice day
>>>> GV
>>>>
>>>>>
>>>>> thanks
>>>>> _______________________________________________
>>>>> Winpcap-users mailing list
>>>>> Winpcap-users at winpcap.org
>>>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>>>
>>>> _______________________________________________
>>>> Winpcap-users mailing list
>>>> Winpcap-users at winpcap.org
>>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>>>
>>>
>>>
>>>
>>> --
>>> Greg
>>> http://blog.gregnet.org/
>>> _______________________________________________
>>> Winpcap-users mailing list
>>> Winpcap-users at winpcap.org
>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>
>
>
>
> --
> Greg
> http://blog.gregnet.org/
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
More information about the Winpcap-users
mailing list