[Winpcap-users] can I change a filter during capture with WinPCapwithout losing packets?

Mon Aug 23 16:38:54 PDT 2010

On Aug 23, 2010, at 4:28 PM, Gianluca Varenni wrote:

> The problem is not the swap time. The problem is that immediately before the 
> swap, the kernel ring buffer holding the packets in the driver is emptied.

FreeBSD has, as of FreeBSD 7.1:

	http://www.freebsd.org/cgi/man.cgi?query=bpf&apropos=0&sektion=0&manpath=FreeBSD+7.1-RELEASE&format=html

two ioctls to set the filter - one of which flushes the old packets in the buffer when switching filters (so that no packets that passed the old filter but would not have passed the new filter are left in the buffer to read after switching the filter), and one of which doesn't (for use in cases where you don't expect that, after setting the filter, *no* packets that would not pass the new filter will be read, which might be the case here).

WinPcap could probably do the same thing - but it currently doesn't, so that suggestion is currently of use only to somebody willing to dive in and tweak the WinPcap driver and run the modified driver.  For programs using libpcap/WinPcap, it'd also require a pcap_setfilter_noflush() call in libpcap/WinPcap.  (Now that FreeBSD has it, and given that I think Linux doesn't flush the buffer when you change the filter, it might be worth adding that API, although it'd fail on platforms where that can't be done.)

(Of course, if there's some mechanism by which a program can find out the names or IP addresses of *all* the HTTP proxy servers Greg's machine could be using, an ordinary filter giving "host XXX or host YYY or host ZZZ" would suffice here - you wouldn't have to try to capture the DNS reply giving the proxy IP address and switch the filter to look for that host.)