pcap - not receiving traffic [OS X, El Capitan]

I am creating a software switch, as a school project. It's implemented in C using lpcap and working fine (despite some bugs) on my Ubuntu machine. However I have a Mac and it's not working there as it should.

When frame is captured using pcap_next_ex() number of captured frames is increased. For some reason during first few seconds (5 to 30) it doesn't increment number of frames, like no frames were received, BUT I CAN SEE those frames in Wireshark. How is this possible?

If interested here is my code. https://github.com/Horkyze/Software-switch

Answers


For some reason during first few seconds (5 to 30) it doesn't increment number of frames, like no frames were received,

Or, rather, like no frames were passed from the capture mechanism to libpcap.

Given that you did not set a timeout, the default timeout is used. It happens to be 0; the behavior with a timeout is platform-dependent and undefined and, for systems that use BPF, such as OS X (and *BSD and Solaris 11), that behavior is "don't pass packets from the capture mechanism to userland until there's no room for the next packet in the kernel packet buffer", which means that the delay between the reception of a frame and its delivery to userland could be arbitrarily long.

Apple's pcap_set_timeout() man page is more emphatic about this (and I'm going to change the standard libpcap man page to say the same thing:

   The behavior, if the timeout isn't specified, is undefined.  We  recom-
   mend always setting the timeout to a non-zero value.

Given the "switch" in the name of your application, you probably don't want any timeout at all but instead want "immediate mode". In immediate mode, set with pcap_set_immediate_mode() rather than pcap_set_timeout(), packets are delivered to user mode as soon as they arrive.

This will also work on Ubuntu (including immediate mode if it's a new enough version of Ubuntu that it has a version of libpcap with immediate mode). Note that, on a Linux system with a version of the kernel new enough to implement TPACKET_V3 and a version of libpcap new enough to use TPACKET_V3, the behavior can be quite different from versions of Linux where either the kernel or libpcap doesn't do TPACKET_V3, so setting the timeout is a good idea on any OS.


Need Your Help

How come this regex is not greedy?

regex perl regex-greedy

This is a follow-up from Perl regular expression to match an IP address. I wanted to show how to solve the problem correctly, but ran into an unexpected behaviour.

Key for Subclipse icons

eclipse subclipse

Does anyone know of a comprehensive key for the range of Subclipse icons?