[Winpcap-users] can I change a filter during capturewithWinPCapwithout losing packets?
Gianluca Varenni
gianluca.varenni at cacetech.com
Tue Aug 24 11:16:13 PDT 2010
I understood that on Linux it's not possible to flush the buffer ("given
that I think Linux doesn't flush the buffer when you change the filter"),
but I didn't have a look at the specific linux code.
Have a nice day
GV
--------------------------------------------------
From: "Guy Harris" <guy at alum.mit.edu>
Sent: Tuesday, August 24, 2010 10:58 AM
To: <winpcap-users at winpcap.org>
Subject: Re: [Winpcap-users] can I change a filter during
capturewithWinPCapwithout losing packets?
>
> On Aug 24, 2010, at 10:49 AM, Gianluca Varenni wrote:
>
>> The main problem would be linux, where the only behavior is not flushing
>> the
>> buffers. So either you have a broken API like pcap_setfilter that is
>> supposed to flush the buffer (but it doesn't) or you break the linux
>> applications by adding the pcap_setfilter_noflush and have pcap_setfilter
>> fail on linux. Something broken in both cases...
>
> Eh?
>
> On those BPF-based systems with the BIOCSETFNR ioctl, pcap_setfilter()
> flushes the buffer and pcap_setfilter_noflush() doesn't.
>
> On those BPF-based systems without the BIOCSETFNR ioctl, pcap_setfilter()
> flushes the buffer and pcap_setfilter_noflush() returns an error.
>
> On Linux, pcap_setfilter() flushes the buffer because it makes an effort
> to do so (see set_kernel_filter() in pcap-linux.c) and
> pcap_setfilter_noflush() doesn't (because it doesn't go through all the
> effort to do so that pcap_setfilter() does).
>
> On Windows, if WinPcap added a call to change the filter without flushing,
> pcap_setfilter() flushes the buffer and pcap_setfilter_noflush() doesn't.
>
> On systems without kernel-based filtering, neither of them flush the
> buffer, as the next packet read after the filter is changed is run through
> the new filter.
>
> On other systems with kernel-based filtering and without a "change filter
> without flushing the buffer" call, pcap_setfilter() flushes the buffer and
> pcap_setfilter_noflush() returns an error.
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
More information about the Winpcap-users
mailing list