Ethereal-dev: Re: [Ethereal-dev] Remote Capture Using rpcapd

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Wed, 27 Jul 2005 09:56:38 -0700
Ross Carlson wrote:
We put together a HOW-TO of sorts of the entire process, start to finish – from installing MSVC++ 6.0, Cygwin, hacking the sourcecode to use the pcap_next_ex() rather than the deprecated pcap_dispatch(),
The fact that pcap_dispatch() doesn't work on remote captures is a bug in WinPcap. The WinPcap developers might choose to mark it deprecated, but it's still a bug not to allow pcap_dispatch() work on remote captures, the same way pcap_loop() and pcap_next_ex() do. (For one thing, pcap_dispatch() isn't going away - that'd break source compatibility, and binary compatibility for applications linked dynamically with libpcap or WinPcap. For another, some applications might want to do a "fetch all packets I can get with one read from the underlying capture mechanism" operation; that's what Ethereal wants to do, for example.) 

pcap_read_remote() should do:

	if (!p->rmt_capstarted) {
		/* if the capture has not started yet, please start it */
		if (pcap_startcapture_remote(p))
			return -1;
	}
in the beginning, so that *all* routines that call it - including pcap_dispatch() - will get the remote capture started on the first read. This would also mean that "pcap_loop()" wouldn't need to do anything different for remote captures, and that pcap_next_ex() wouldn't have to do that check, either.
They could also add a read_nocb_op() routine to the pcap_t structure, and have pcap_next_ex() call it if that pointer is non-null; doing that would mean that pcap_next_ex() wouldn't have to check for remote captures, either, and that we could avoid using the fake callback on other platforms. However, we might be replacing read op with a different op, as per Darren Reed's suggestion: 

	http://www.tcpdump.org/lists/workers/2004/04/msg00079.html
so it might be premature to do that, and it's not necessary to make all the "read captured packet" routines work on remote captures.
And also, if we were able to do this – why hasn’t this been implemented in Ethereal already?
Because nobody'd informed us, until now, that remote capture in WinPcap was broken because pcap_dispatch() doesn't work on it?
I'll mention this to the WinPcap developers; hopefully, if it's not already fixed in the 3.1 source tree, they can fix it before the official 3.1 release.