Could you explain what do you mean by outbound beacons ?
I have been able to capture beacons using libpcap.
Am I missing on something ?
Abhinav
On Mon, Oct 31, 2011 at 3:27 PM, Yifan Zhang wrote:
>
> Hello all,
>
> I am writing my own program, which will be running on a 802.11 AP, to
> capture
hi,
I am using libpcap on Openwrt platform, Netgear router wndr3700v2.
I am able to capture packets on phy0, interface.
But what should I do to capture packets on phy0,phy1 simultaneously in the
same program ?
I don't think I can use "any" interface as it might capture packets from
bridge interfac
hi,
I have been running tcpdump on my laptop and openwrt router (netgear).
I have used the command :
iw phy phy1 set channel 40 ht40+/ht40-/ht20
But I have not been able to hear n beacons.
Is it that tcpdump can't decipher n beacons ?
I went through code and saw PRINT_HT_RATES and ieee80211_htra
n the handle
Can I use pcap_loop when using select, or i have to use recvfrom in loop ?
Abhinav
On Wed, Nov 30, 2011 at 10:25 AM, wrote:
> On Wed, Nov 30, 2011 at 01:06:19PM +0100, Joerg Mayer wrote:
> > On Mon, Nov 28, 2011 at 02:35:24PM -0500, abhinav narain wrote:
> > > I am u
On Sat, Dec 10, 2011 at 3:18 PM, wrote:
> Hi!
>
> > I was using pthreads for two interfaces, but I am trying to optimize
> now. I
> > have 15% memory usage.
>
> So you were capturing traffic on two threads with two distinct pcap
> handlers?
>
yes
> Looks fine to me. What's eating 15% of your RAM
So, I can do select + pcap_dispatch to read on two interfaces without even
using threads.
I read select is slow for monitoring. But with only two interfaces, it
should not be a problem.
Abhinav
On Sat, Dec 10, 2011 at 3:50 PM, Guy Harris wrote:
>
> On Dec 10, 2011, at 7:39 AM, abhinav
Two threads are too large on this.
I was unable to find how to set the set of interfaces to be restricted to 2
(the ones i want) and call the same callback on return from dispatch.
This code is not right, but I am clueless to proceed
Any direction will be good.
fd_set rfds;
char * device="p
callback, NULL);
pcap_dispatch(pcap1,-1, (void *) packet_callback2, NULL);
}
// Put your service routine here.. is called when select times out or
when a packet is processed
}
On Sat, Dec 10, 2011 at 7:12 PM, abhinav narain
wrote:
> Two threads are too large on this.
>
> I was
I got it to work.
Thanks for replying on the thread
Abhinav
On Sat, Dec 10, 2011 at 8:15 PM, abhinav narain
wrote:
> Actually, I did better now ... but I don't know what should be done to
> call the corresponding dispatch
> If someone can give me a hint
>
>
> char *d
I used the FD_IFSET() way to fnd out the descriptor.
I have an issue,
For few time dispatch works fine, but after I write the stats to a file,
and the loop returns to phy0, the programs quits with switch condition of
-1.
I don't see why ? I have the pcap{0,1} to non blocking. But this does not
wo
the return value of error is -1,
EINTR is 4.
Also, it keeps printing ": Resource temporarily unavailable"
though I don't have any error statement to be printed.
This is increasing CPU usage
Abhinav
On Sun, Dec 11, 2011 at 7:48 AM, wrote:
> I did not remember what select() uses to return the re
I just ignored that case of return value -1 : and continued.
It works now.
The memory usage for two captures is 15%.
I think I din't gain much using select() !
Abhinav
On Sun, Dec 11, 2011 at 12:09 PM, wrote:
> -[ Sun, Dec 11, 2011 at 11:36:14AM -0500, abhinav narain ]
> &
RETURN VALUES
> Select() returns the number of ready descriptors that are contained in
> the descriptor sets, or -1 if an error occurred. If the time limit
> expires, select() returns 0. If select() returns with an error,
> includ-
> ing one due to an interrupted call, the descrip
:
>
> On Dec 11, 2011, at 11:17 AM, abhinav narain wrote:
>
> >> What is "it"? Your program? Or just *some* program?
> >>
> > Its the return statement of perror.
>
> Presumably you were calling perror() because some call returned -1; what
> call was
> It sniffs for beacons by using bpf filter and keeps a per AP record of
> > packet count etc in a table.
>
> So if that's all you're doing, you presumably don't have your own buffer
> for packets; when you say "I already have 15% RAM being eaten by the
> program, so I can't actually increase the b
On Sun, Dec 11, 2011 at 9:04 PM, Gianluca Varenni <
gianluca.vare...@riverbed.com> wrote:
> When you talk about 15% RAM, do you actually mean working set or virtual
> address space? Which version of linux are you using?
>
> I am using Openwrt on a Netgear router. Kernel 2.6.39
I see this usage by
>> itself, as specified by pcap_set_buffer_size()?
> >>
> > Yes, I havent user the pcap_set_buffer_size(), but in open_live() , i
> give the buffersize as BUFSIZ,
>
>
> There is no buffer size option in pcap_open_live(), so you *can't* give
> the buffer size in a pcap_open_live() call.
>
> I can't
>
>
> > VSZ reports 9304 Bytes.I think this must be virtual address space.
>
> 9394 *bytes*? That's 15% of about 62KB; if that's 15% of your RAM, you're
> probably running on a machine with 64K, which I doubt.
>
> Did you mean 9394KB? top, at least on my machine (running Mac OS X),
> reports vari
On Mon, Dec 12, 2011 at 4:10 PM, wrote:
> On Mon, Dec 12, 2011 at 12:53:38PM -0800, Guy Harris wrote:
>
> > > Will I ever see HT40+,40- in case of beacons.
> >
> > Probably not.
> >
>
> > > Ok. So, there is nothing as a N beacon..
> > > Only advertisements at 1,6 rate and then actual data at N spe
I wanted to know how much percentage of the original wireless traffic do I
lose when I am sniffing on monitor interfaces ?
pcap statistics show me no packet loss, but I wanted to know, if the
virtual interfaces( phy{0,1}) itself gave me all the traffic or not.
Ideal case would have been sweeping o
. the
statistics pcap gives ...
Can anyone suggest how to get this information while i am writing code in
userland.
Abhinav narain
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
hi,
I have seen tcpdump,wireshark both just print packet contents till mac
header in monitor mode.
In case of normal wireless interfaces (wlan0), they follow a different
execution path.
Can someone tell me what should I expect in the the frame after
ieee80211_hdr (which comes after the radiotap he
> field - that's the case only for SNAP frames, where the DSAP and SSAP are
> 0xAA - and, for SNAP frames, the protocol ID field is an Ethernet type only
> if the organization code is 00:00:00.
>
> Shall i use some other llc struct to find out the data packet is of which
transport layer protocol
Abhinav Narain
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
>
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
>
>
> By the way, note that the 802.11 header is *variable length*; the length
> depends on, for example, whether the frame has one, two, three, or four MAC
> addresses, and on whether it's a QoS frame.
Yes, I am taking care of that :)
Abhinav
-
This is the tcpdump-workers list.
Visit https://cod
> Oh, and one more thing:
>
> Some network adapters, when running in a mode where they supply an 802.11
> header (such as monitor mode), put some padding in between the 802.11
> header and the payload, so the 802.2 LLC header in a data frame might not
> immediately follow the 802.11 header (regardl
Please do so. my last two messages bounced back !
-Abhinav
On Wed, Apr 18, 2012 at 6:05 PM, Sam Roberts wrote:
> For what its worth, the last message I saw was on Mar 13th, thought I
> have 2 or 3 more messages than I can see on
> http://news.gmane.org/gmane.network.tcpdump.devel
>
> I'm CCing
for packet capture( I can't use pcap for that; I have modified
skbuff ) and its worst than twice !
Memory increase is fine.
Can anyone suggest what going on ? Or how to improve
-Abhinav Narain
___
tcpdump-workers mailing list
tcpdump-wo
hi
I wanted to know why is MSG_PEEK used in the recv() call in mmap code
and
not recvfrom() with MSG_TRUNC flag.
The reason i am asking is .. because I see my code takes a lot of CPU
which
is due to more looping, I suppose.
The flag description for MSG_PEEK shows it doesn't disc
The ioctl could be traced to another function call on struct sock *, but I
have not been able to comprehend the meaning of the timestamp provided.
Please clarify.
-Abhinav Narain
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump
@Guy,
Basically, I was adding my own header (instead of radiotap) in kernel and
processing it in userland with my own code. Basically I wrote my own pcap
for that.
Since, I did not get the performance, Now I have added extra fields in
radiotap.
But I still see high CPU usage.
Its interesting that y
I have understood the codeflow without using Eclipse :-)
Why don't you try that way !
-Abhinav
On Mon, Nov 12, 2012 at 3:54 AM, Subbi Tk wrote:
> hi All,
> I am new to tcpdump and libpcap, I have downloaded the source files and
> trying to compile in eclipse also facing some issue or the
hi everyone,
I have written my own data collection tool, for custom needs using
libpcap for wireless interfaces(2.4,5 GHz) on a router.
I could not find any flag in tcpdump that i can collect only x
number of mgmt packets, y number of control packets and
the rest data packets.
The issue i face is
Thanks for replying on this, as I am actually helpless on this issue for
days now.
As you're saying "libpcap" rather than WinPcap, I'm assuming this is some
> flavor of UN*X, such as Linux.
>
> You are right, its running 2.6.32 on OpenWrt.
> Could you build a profiled version of your tool (compi
Hi Guy,
Thanks for clearing this
> It does absolutely nothing whatsoever to discover whether there are other
> versions of tcpdump are running.
Ok
> Am I right to say that the two processes spin on some shared resource ?
>
> Given that I don't know what routines in the programs or libraries the
hi Guy,
> What happens if you eliminate that (and any code paths that eliminating
> that breaks)?
>
> That seems to be the biggest difference between your code and tcpdump's
> code (both your program and tcpdump use pcap_loop() as their main loops).
I turned off SIGPROCMASK stuff ... it did not
On Thu, Apr 18, 2013 at 8:37 AM, abhinav narain
wrote:
> hi Guy,
>
> What happens if you eliminate that (and any code paths that eliminating
>> that breaks)?
>>
>>
The biggest issue for me to understand is, why is the CPU usage going up
when
two instances of the
sk() block, instead
of using
it in callback function (which I am doing now ) ?
sigprocmask(block) ..
pcap_loop()
sigprocmask(unblock) ..
How will the signals work then ?
-
Abhinav
On Thu, Apr 18, 2013 at 9:06 AM, abhinav narain
wrote:
>
> On Thu, Apr 18, 2013 at 8:37 AM, abhinav narain > wr
iw (iw phy
phy0 .interface add phe0 ..)
Any suggestions,
please let me know.
-
Abhinav
On Fri, Apr 19, 2013 at 12:22 AM, abhinav narain
wrote:
> Hi Guy,
> This is one thing I am confused about.
>
> I am right now setting the sigprocmask
> in the callback function :
> pkt_ca
Status : bug fixed.
-
Abhinav
On Sat, Apr 20, 2013 at 12:51 AM, abhinav narain
wrote:
>
> Hi guy,
> I have strace of both tcpdump and mac-analyzer(my tool) from the router
> attached.
>
> I cannot understand why the file descriptor number is different in tcpdump
> a
CPU utilization but that does not help !
Can you please explain why pcap behaves like this ?
I am guessing tcpdump also captures the whole packet even when I use -s
option,
because I get low CPU usage with any option in tcpdump !
-
Abhinav
On Sat, Apr 20, 2013 at 1:18 AM, abhinav narain
wrote
Hi Everyone,
I am doing a packet capture on 480 MHz router on ethernet interface using
pcap and see packet drops for anything greater than 50-60 Mbps.
My question is following :
Does pcap (and hence the kernel) create a new queue for all the packets in
the promiscuous or is it collecting all packe
Hi Guy,
I infer from "eth0" that this is Linux. (DD-WRT or some other
> OpenWRT-based project?)
>
> Yes. OpenWrt based netgear router.
> On Linux, libpcap creates a PF_PACKET socket for each open pcap_t for a
> regular network interface such as eth0. Each PF_PACKET socket has a queue
> of its
42 matches
Mail list logo
