Wireshark · Ethereal-dev: RE: [Ethereal-dev] Too many pcap_open

Ethereal-dev: RE: [Ethereal-dev] Too many pcap_open_live calls during capture loop

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Jacques, Olivier (OCBU-Test Infra)" <olivier.jacques@xxxxxx>

Date: Wed, 1 Mar 2006 16:42:32 +0100

Ulfl and all,

I tried to narrow this problem down, and I have some interesting findings:
- pcap_open_live is not called for each packet received, but for a fraction of them (around one third)
- It doesn't occur with tethereal
- I get the problem only if "Update list of packets in real time" is checked (auto scrolling doesn't seem to change anything)
- On top of winpcap 3.1 vanilla, I just added one trace that logs a line to c:\tmp\wpcap.log (diff attached). So that you can reproduce it, I attached the resulting wpcap.dll (this is winpcap 3.1)
- When capturing IP traffic, I get many, many "pcap-win32.c: pcap_open_live" (ethereal-gtk2.exe).

For some reason, if I put a breakpoint on all pcap_open_live occurrences in Ethereal, the debugger doesn't stop during traffic. I suspect this has to do with starting another thread for capturing.
Looking at the differences between tethereal and ethereal capture loops, I wasn't able to see how this could be caused.

I'm sure you can reproduce the issue - and now I think that the problem is on Ethereal's side (not winpcap) and that every Windows user has it.

Olivier. 

> -----Original Message-----
> From: ethereal-dev-bounces@xxxxxxxxxxxx 
> [mailto:ethereal-dev-bounces@xxxxxxxxxxxx] On Behalf Of Ulf Lamping
> Sent: mercredi 22 février 2006 08:18
> To: Ethereal development
> Subject: Re: [Ethereal-dev] Too many pcap_open_live calls 
> during capture loop
> 
> Jacques, Olivier (OCBU-Test Infra) wrote:
> > It seems (hard to say for sure, as I generated traces to a 
> file / not 
> > a breakpoint), that the pcap_open_live is called for each 
> packet received.
> >   
> That's very strange and certainly not (directly?) caused by Ethereal.
> > Is there anything specific done by Ethereal with pcap/wpcap at the 
> > time a packet is received?
> >   
> No, Ethereal calls pcap_dispatch, so WinPcap will call 
> ld->packet_cb which is actually capture_loop_packet_cb for 
> each packet.
> 
> I'm pretty sure that Ethereal is calling pcap_open_live only 
> once for a whole capture run.
> > I'm not at the office currently, but I'll try to have a 
> further look 
> > at that next week.
> >   
> Are you *sure* that your trace message texts are correct (not 
> a cut and paste error)?
> 
> Regards, ULFL
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>

Attachment: wpcap.zip
Description: wpcap.zip

Attachment: wpcap_trace.diff
Description: wpcap_trace.diff

Prev by Date: Re: [Ethereal-dev] display filter
Next by Date: [Ethereal-dev] ethereal crash when set display filter
Previous by thread: Re: [Ethereal-dev] display filter
Next by thread: [Ethereal-dev] ethereal crash when set display filter
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$