[Winpcap-users] sniffing multiple interfaces
Vasanth Neel
vsn.vasanth at gmail.com
Thu Nov 22 00:21:42 PST 2012
Hello Michael, Thanks for your response.
What kind of data rates are you throwing at the interfaces?
--> I am not sure i am getting you right here. but this sniffer i am
working on is used for voice logger and the signals are port mirrored from
the switch to the respective configured Interfaces on my testing server.
this snifffer should pretty much interested in TCP and UDP packets. TCP for
call data like caller id etc., and UDP for Voice payloads.
These are two NIC cards i have in my testing server,
Intel(R) PRO/1000 PL Network Connection
Intel(R) 82566DM-2 Gigabit NEtwork Connection
2. What kind of CPU usage do you see when running single and multiple
threads?
I have implemented the Producer Consumer Architecture in Threads.
Producer thread will read the packets from winpcap buffer and stored in STL
List FIFO pointer and then consumer thread will process the packets from
the list.
When sniffing multtiple interfaces using single Producer and single
consumer architecture i had 100% CPU usage but i get rid of that by putting
a sleep(1) in the consumer thread.
Everything works fine untill i sniff single interface. But when i try to
sniff on multiple interfaces it loss huge amount of packets.
I have Read lot of stuffs about the timeout used in the pcap_open_live but
it getting more confused and could nt know how to use this timeout.
Here is the complete code i am using in the producer thread to packet sniff
from mutiple interface,
// open the interfaces
m_hPcap1 = pcap_open_live(lpszDeviceName, 1500, 1, 1, error);
m_hPcap2 = pcap_open_live(lpszDeviceName, 1500, 1, 1, error);
// producer thread.
unsigned long CWinpCap::Run()
{
OutputDebugString("Entered into CWinpCap::Run()");
if(m_hPcap1 == NULL || m_hPcap2 == NULL)
{
OutputDebugString("m_hPcap1 or 2 is null and it is returned form run
func.");
return 0;
}
HANDLE hThread = GetCurrentThread();
if(hThread)
{
if(! SetThreadPriority(hThread,THREAD_PRIORITY_HIGHEST))
OutputDebugString("Thread Boosting Failed");
}
int PacketSize;
while(IsRunning())
{
pcap_pkthdr* header;
const u_char* pkt_data;
bool bProcess = true;
if(pcap_next_ex(m_hPcap1,&header,&pkt_data) >= 0)
{
ETHERNETHEADER* pEthernetHeader = (ETHERNETHEADER *) pkt_data;
IPHEADER* pIpHeader = (IPHEADER*)((char*)pEthernetHeader +
sizeof(ETHERNETHEADER));
u_char* ipPacketEnd = (u_char*)pIpHeader + ntohs(pIpHeader->ip_len);
PacketSize = (ipPacketEnd - pkt_data)+100; // winpcap padding
u_char* pPacket = (u_char*) malloc(PacketSize);
memcpy(pPacket,pkt_data,PacketSize);
m_SafeQueue.Enqueue(pPacket);
}
if(pcap_next_ex(m_hPcap2,&header,&pkt_data) >= 0)
{
ETHERNETHEADER* pEthernetHeader = (ETHERNETHEADER *) pkt_data;
IPHEADER* pIpHeader = (IPHEADER*)((char*)pEthernetHeader +
sizeof(ETHERNETHEADER));
u_char* ipPacketEnd = (u_char*)pIpHeader + ntohs(pIpHeader->ip_len);
PacketSize = (ipPacketEnd - pkt_data)+100; // winpcap padding
u_char* pPacket = (u_char*) malloc(PacketSize);
memcpy(pPacket,pkt_data,PacketSize);
m_SafeQueue.Enqueue(pPacket);
}
// skinny
// Sleep(1);
}
m_SafeQueue.Release();
return 0;
}
What i am doing wrong in the above?
Thanks
On Wed, Nov 21, 2012 at 6:52 PM, Black, Michael (IS) <Michael.Black2 at ngc.com
> wrote:
> What kind of data rates are you throwing at the interfaces?
> What kind of CPU usage do you see when running single and multiple threads?
>
>
> Michael D. Black
> Senior Scientist
> Advanced Analytics Directorate
> Advanced GEOINT Solutions Operating Unit
> Northrop Grumman Information Systems
> ------------------------------
> *From:* winpcap-users-bounces at winpcap.org [
> winpcap-users-bounces at winpcap.org] on behalf of Vasanth Neel [
> vsn.vasanth at gmail.com]
> *Sent:* Wednesday, November 21, 2012 2:11 AM
> *To:* winpcap-users at winpcap.org
> *Subject:* EXT :[Winpcap-users] sniffing multiple interfaces
>
> Hello Everyone,
>
> I had a requirement to sniff multiple interfaces to rtp pckets. Our
> application is stable when we sniff single interface but when i try to
> sniff multiple interface from single or multiple thread each opens the
> pcap_t devices seperately and uses pcap_next_ex to read the packets i got
> packet loss in large amount. i have tried to set the timeot to different
> levels like from 1 to 500 nothing seems to work.. here is the code sample
> that process the the multiple interfaces,
>
> while(IsRunning())
> {
>
> pcap_pkthdr* header;
> const u_char* pkt_data;
> bool bProcess = true;
> if(pcap_next_ex(m_hPcap1,&header,&pkt_data) >= 0)
> {
> ETHERNETHEADER* pEthernetHeader = (ETHERNETHEADER *) pkt_data;
> IPHEADER* pIpHeader = (IPHEADER*)((char*)pEthernetHeader +
> sizeof(ETHERNETHEADER));
> u_char* ipPacketEnd = (u_char*)pIpHeader + ntohs(pIpHeader->ip_len);
> PacketSize = (ipPacketEnd - pkt_data)+100; // winpcap padding
>
> u_char* pPacket = (u_char*) malloc(PacketSize);
> memcpy(pPacket,pkt_data,PacketSize);
> m_SafeQueue.Enqueue(pPacket);
> }
> if(pcap_next_ex(m_hPcap2,&header,&pkt_data) >= 0)
> {
> ETHERNETHEADER* pEthernetHeader = (ETHERNETHEADER *) pkt_data;
> IPHEADER* pIpHeader = (IPHEADER*)((char*)pEthernetHeader +
> sizeof(ETHERNETHEADER));
> u_char* ipPacketEnd = (u_char*)pIpHeader + ntohs(pIpHeader->ip_len);
> PacketSize = (ipPacketEnd - pkt_data)+100; // winpcap padding
>
> u_char* pPacket = (u_char*) malloc(PacketSize);
> memcpy(pPacket,pkt_data,PacketSize);
> m_SafeQueue.Enqueue(pPacket);
> }
> }
>
>
> What i am doing wrong in this? also i have seems some suggestion to use
> waitformultipleevents but i am not sure how to do that. any suggestions
> appreciated.
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20121122/65e2ada6/attachment.html>
More information about the Winpcap-users
mailing list