[Winpcap-users] can I change a filter during capture withWinPCapwithout losing packets?

Gianluca Varenni gianluca.varenni at cacetech.com
Tue Aug 24 10:49:34 PDT 2010 


--------------------------------------------------
From: "Guy Harris" <guy at alum.mit.edu>
Sent: Monday, August 23, 2010 4:38 PM
To: <winpcap-users at winpcap.org>
Subject: Re: [Winpcap-users] can I change a filter during capture 
withWinPCapwithout losing packets?

>
> On Aug 23, 2010, at 4:28 PM, Gianluca Varenni wrote:
>
>> The problem is not the swap time. The problem is that immediately before 
>> the
>> swap, the kernel ring buffer holding the packets in the driver is 
>> emptied.
>
> FreeBSD has, as of FreeBSD 7.1:
>
> http://www.freebsd.org/cgi/man.cgi?query=bpf&apropos=0&sektion=0&manpath=FreeBSD+7.1-RELEASE&format=html
>
> two ioctls to set the filter - one of which flushes the old packets in the 
> buffer when switching filters (so that no packets that passed the old 
> filter but would not have passed the new filter are left in the buffer to 
> read after switching the filter), and one of which doesn't (for use in 
> cases where you don't expect that, after setting the filter, *no* packets 
> that would not pass the new filter will be read, which might be the case 
> here).
>
> WinPcap could probably do the same thing - but it currently doesn't, so 
> that suggestion is currently of use only to somebody willing to dive in 
> and tweak the WinPcap driver and run the modified driver.  For programs 
> using libpcap/WinPcap, it'd also require a pcap_setfilter_noflush() call 
> in libpcap/WinPcap.  (Now that FreeBSD has it, and given that I think 
> Linux doesn't flush the buffer when you change the filter, it might be 
> worth adding that API, although it'd fail on platforms where that can't be 
> done.)

The main problem would be linux, where the only behavior is not flushing the 
buffers. So either you have a broken API like pcap_setfilter that is 
supposed to flush the buffer (but it doesn't) or you break the linux 
applications by adding the pcap_setfilter_noflush and have pcap_setfilter 
fail on linux. Something broken in both cases...

Have a nice day
GV

>
> (Of course, if there's some mechanism by which a program can find out the 
> names or IP addresses of *all* the HTTP proxy servers Greg's machine could 
> be using, an ordinary filter giving "host XXX or host YYY or host ZZZ" 
> would suffice here - you wouldn't have to try to capture the DNS reply 
> giving the proxy IP address and switch the filter to look for that host.)
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users

More information about the Winpcap-users mailing list