On Mon, Dec 12, 2011 at 4:10 PM, wrote:
> On Mon, Dec 12, 2011 at 12:53:38PM -0800, Guy Harris wrote:
>
> > > Will I ever see HT40+,40- in case of beacons.
> >
> > Probably not.
> >
>
> > > Ok. So, there is nothing as a N beacon..
> > > Only advertisements at 1,6 rate and then actual data at N spe
> > That poll() is unnecessary in non-blocking mode only if the
> > application isn't expecting libpcap to return errors, and is
> > itself checking for those errors after the poll() call. That
> > would be the case only if the application knew it had to do
> > that special Linux-specific st
> On Dec 12, 2011, at 1:41 PM, Guy Harris wrote:
>
> > On Dec 12, 2011, at 3:59 AM, David Laight wrote:
> >
> >> I also think that interface could defer freeing the last
> >> rx buffer until the request to read another packet.
> >> That would avoid the necessity of a buffer copy
> >> for applicat
>
> On Dec 12, 2011, at 3:59 AM, David Laight wrote:
>
> > The linux libpcap has a poll() in the 'memory mapped'
> > kernel interface (in order to check for errors).
> > If the application is using poll() this is an unnecessary
> > system call.
>
> The only way libpcap can infer that the appli
On Dec 12, 2011, at 1:41 PM, Guy Harris wrote:
> On Dec 12, 2011, at 3:59 AM, David Laight wrote:
>
>> I also think that interface could defer freeing the last
>> rx buffer until the request to read another packet.
>> That would avoid the necessity of a buffer copy
>> for applications that don't
On Dec 12, 2011, at 1:18 PM, abhinav narain wrote:
> Its KB then, because the router has 64MB RAM
> So, it means, I am filling the buffer almost always.
No, what it means is "the process running your application has a 9.3MB virtual
address space", which says nothing about how much RAM it's usin
On Dec 12, 2011, at 1:10 PM, drag...@durandal.kismetwireless.net wrote:
> About the only time you'll see beacons on non-basic rates is a
> greenfield deployment, of which I've *never* found one in the wild
> despite all the manufacturers caring about it.
Will we see any greenfield deployments an
On Dec 12, 2011, at 3:59 AM, David Laight wrote:
> The linux libpcap has a poll() in the 'memory mapped'
> kernel interface (in order to check for errors).
> If the application is using poll() this is an unnecessary
> system call.
The only way libpcap can infer that the application is using poll
On Mon, Dec 12, 2011 at 12:53:38PM -0800, Guy Harris wrote:
> > Will I ever see HT40+,40- in case of beacons.
>
> Probably not.
>
> > Does this field in radiotap header (if it occurs) mean the interface beacon
> > came from was having the above (equivilantly n ) support ?
>
> No. This field i
>
>
> > VSZ reports 9304 Bytes.I think this must be virtual address space.
>
> 9394 *bytes*? That's 15% of about 62KB; if that's 15% of your RAM, you're
> probably running on a machine with 64K, which I doubt.
>
> Did you mean 9394KB? top, at least on my machine (running Mac OS X),
> reports vari
On Dec 12, 2011, at 1:36 AM, abhinav narain wrote:
> I can't find any default buffer size in pcap,
The default size is platform-dependent. On Linux systems that support
memory-mapped capture (in both the kernel, which your kernel does, and in
libpcap, which libpcap 1.0 and later do), the defa
On Dec 12, 2011, at 12:31 AM, abhinav narain wrote:
> I see this usage by top command.
> VSZ reports 9304 Bytes.I think this must be virtual address space.
9394 *bytes*? That's 15% of about 62KB; if that's 15% of your RAM, you're
probably running on a machine with 64K, which I doubt.
Did you
> Is poll() better than select ?
poll() and select() use the same basic kernel code.
poll() is generally better since it doesn't have problems
with high numbered fds, and doesn't require a sparse
fd map to be scanned.
The linux libpcap has a poll() in the 'memory mapped'
kernel interface (in or
>> itself, as specified by pcap_set_buffer_size()?
> >>
> > Yes, I havent user the pcap_set_buffer_size(), but in open_live() , i
> give the buffersize as BUFSIZ,
>
>
> There is no buffer size option in pcap_open_live(), so you *can't* give
> the buffer size in a pcap_open_live() call.
>
> I can't
On Sun, Dec 11, 2011 at 9:04 PM, Gianluca Varenni <
gianluca.vare...@riverbed.com> wrote:
> When you talk about 15% RAM, do you actually mean working set or virtual
> address space? Which version of linux are you using?
>
> I am using Openwrt on a Netgear router. Kernel 2.6.39
I see this usage by
On Dec 11, 2011, at 4:10 PM, abhinav narain wrote:
>> It sniffs for beacons by using bpf filter and keeps a per AP record of
>>> packet count etc in a table.
>>
>> So if that's all you're doing, you presumably don't have your own buffer
>> for packets; when you say "I already have 15% RAM being
-
From: tcpdump-workers-ow...@lists.tcpdump.org
[mailto:tcpdump-workers-ow...@lists.tcpdump.org] On Behalf Of abhinav narain
Sent: Sunday, December 11, 2011 4:11 PM
To: tcpdump-workers@lists.tcpdump.org
Subject: Re: [tcpdump-workers] capturing on both interfaces simultaneously
> It sniffs for
> It sniffs for beacons by using bpf filter and keeps a per AP record of
> > packet count etc in a table.
>
> So if that's all you're doing, you presumably don't have your own buffer
> for packets; when you say "I already have 15% RAM being eaten by the
> program, so I can't actually increase the b
On Dec 11, 2011, at 2:42 PM, abhinav narain wrote:
> It sniffs for beacons by using bpf filter and keeps a per AP record of
> packet count etc in a table.
So if that's all you're doing, you presumably don't have your own buffer for
packets; when you say "I already have 15% RAM being eaten by th
It sniffs for beacons by using bpf filter and keeps a per AP record of
packet count etc in a table.
Is poll() better than select ?
I can only see A,B,G in beacons in tcpdump code, reading the radiotap
header..
How can I infer an AP is N ?
On Sun, Dec 11, 2011 at 2:35 PM, Guy Harris wrote:
>
>
On Dec 11, 2011, at 11:17 AM, abhinav narain wrote:
>> What is "it"? Your program? Or just *some* program?
>>
> Its the return statement of perror.
Presumably you were calling perror() because some call returned -1; what call
was that? If something keeps returning -1 because, for example, i
RETURN VALUES
> Select() returns the number of ready descriptors that are contained in
> the descriptor sets, or -1 if an error occurred. If the time limit
> expires, select() returns 0. If select() returns with an error,
> includ-
> ing one due to an interrupted call, the descrip
On Dec 11, 2011, at 8:36 AM, abhinav narain wrote:
> the return value of error is -1,
> EINTR is 4.
For many UN*X APIs, "the return value" and "the error" are not the same; "the
return value" on an error is -1, and "the error" is in the variable "errno".
The select() man page on my system (not
I just ignored that case of return value -1 : and continued.
It works now.
The memory usage for two captures is 15%.
I think I din't gain much using select() !
Abhinav
On Sun, Dec 11, 2011 at 12:09 PM, wrote:
> -[ Sun, Dec 11, 2011 at 11:36:14AM -0500, abhinav narain ]
> > the return value
-[ Sun, Dec 11, 2011 at 11:36:14AM -0500, abhinav narain ]
> the return value of error is -1,
> EINTR is 4.
errno is EINTR.
If select returns -1, check for errno. If errno == EINTR, just retry.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
the return value of error is -1,
EINTR is 4.
Also, it keeps printing ": Resource temporarily unavailable"
though I don't have any error statement to be printed.
This is increasing CPU usage
Abhinav
On Sun, Dec 11, 2011 at 7:48 AM, wrote:
> I did not remember what select() uses to return the re
I did not remember what select() uses to return the readable file
descriptors, but I do remember that any select can be interrupted
while still waiting, and that the error is then EINTR, so you have
to catch this particular error and ignore it (ie. merely loop on
it).
Googling for "non-restartable
I used the FD_IFSET() way to fnd out the descriptor.
I have an issue,
For few time dispatch works fine, but after I write the stats to a file,
and the loop returns to phy0, the programs quits with switch condition of
-1.
I don't see why ? I have the pcap{0,1} to non blocking. But this does not
wo
On Dec 10, 2011, at 11:58 PM, Cedric Cellier wrote:
>> I got it to work.
> (...)
>>> default: /* We got traffic */
>>> pcap_dispatch(pcap0,-1, (void *) packet_callback, NULL);
>>> pcap_dispatch(pcap1,-1, (void *) packet_callback2, NULL);
>
> So that other may benefit from it in the fut
> I got it to work.
(...)
> > default: /* We got traffic */
> > pcap_dispatch(pcap0,-1, (void *) packet_callback, NULL);
> > pcap_dispatch(pcap1,-1, (void *) packet_callback2, NULL);
So that other may benefit from it in the future, I
guess your fixed version looks like:
default:
if (t
I got it to work.
Thanks for replying on the thread
Abhinav
On Sat, Dec 10, 2011 at 8:15 PM, abhinav narain
wrote:
> Actually, I did better now ... but I don't know what should be done to
> call the corresponding dispatch
> If someone can give me a hint
>
>
> char *device0="phy0";
> char *
Actually, I did better now ... but I don't know what should be done to call
the corresponding dispatch
If someone can give me a hint
char *device0="phy0";
char *device1="phy1";
pcap0 = pcap_open_live(device0, BUFSIZ, 1, -1, errbuf);
pcap1 = pcap_open_live(device1, BUFSIZ, 1, -1, errbuf)
Two threads are too large on this.
I was unable to find how to set the set of interfaces to be restricted to 2
(the ones i want) and call the same callback on return from dispatch.
This code is not right, but I am clueless to proceed
Any direction will be good.
fd_set rfds;
char * device="p
-[ Sat, Dec 10, 2011 at 12:59:26PM -0800, Guy Harris ]
> > Unfortunately, I don't know any way to
> > associate a file descriptor with a pcap handle portably. :-(
>
> pcap_get_selectable_fd() if present in your libpcap, pcap_fileno() otherwise.
Thank you for the correction.
> > Yes junkie us
On Dec 10, 2011, at 12:58 PM, abhinav narain wrote:
> So, I can do select + pcap_dispatch to read on two interfaces without even
> using threads.
>
> I read select is slow for monitoring.
Possibly. If you don't care about portability, you could use epoll():
http://kernel.org/doc/man-
On Dec 10, 2011, at 12:38 PM, abhinav narain wrote:
> On Sat, Dec 10, 2011 at 3:18 PM, wrote:
>
>> Looks fine to me. What's eating 15% of your RAM, exactly?
>
> I think pthread while keeping the states
Is that 15% of your machine's RAM? Unless the threads have really large
stacks, or you ha
On Dec 10, 2011, at 12:18 PM, ri...@happyleptic.org wrote:
>> I am trying to use select, as it seems the most basic.
>
> If I understand correctly, you are replacing your threaded aproach by a singly
> threaded program using select. Unfortunately, I don't know any way to
> associate a file descr
So, I can do select + pcap_dispatch to read on two interfaces without even
using threads.
I read select is slow for monitoring. But with only two interfaces, it
should not be a problem.
Abhinav
On Sat, Dec 10, 2011 at 3:50 PM, Guy Harris wrote:
>
> On Dec 10, 2011, at 7:39 AM, abhinav narain
On Dec 10, 2011, at 7:39 AM, abhinav narain wrote:
> Can I use pcap_loop when using select,
No.
You can, however, use pcap_dispatch(). pcap_loop() loops either indefinitely
or until it sees the specified number of packets; it will try to read more
packets from the underlying descriptor, and
On Sat, Dec 10, 2011 at 3:18 PM, wrote:
> Hi!
>
> > I was using pthreads for two interfaces, but I am trying to optimize
> now. I
> > have 15% memory usage.
>
> So you were capturing traffic on two threads with two distinct pcap
> handlers?
>
yes
> Looks fine to me. What's eating 15% of your RAM
Hi!
> I was using pthreads for two interfaces, but I am trying to optimize now. I
> have 15% memory usage.
So you were capturing traffic on two threads with two distinct pcap handlers?
Looks fine to me. What's eating 15% of your RAM, exactly?
> I am trying to use select, as it seems the most bas
I was using pthreads for two interfaces, but I am trying to optimize now. I
have 15% memory usage.
I am trying to use select, as it seems the most basic. Junkie uses threads
to do this, so can't really use it.
I want to sniff only beacons in the network, so I am attaching a bpf filter
on the handle
On Wed, Nov 30, 2011 at 01:06:19PM +0100, Joerg Mayer wrote:
> On Mon, Nov 28, 2011 at 02:35:24PM -0500, abhinav narain wrote:
> > I am using libpcap on Openwrt platform, Netgear router wndr3700v2.
> > I am able to capture packets on phy0, interface.
> > But what should I do to capture packets on p
On Mon, 2011-11-28 at 14:35 -0500, abhinav narain wrote:
> I don't think I can use "any" interface as it might capture packets from
> bridge interface also !
I use bonding to re-combine traffic from the Tx and Rx of a passive
optical tap. You might be able to use the same technique. Here is an
ex
On Mon, Nov 28, 2011 at 02:35:24PM -0500, abhinav narain wrote:
> I am using libpcap on Openwrt platform, Netgear router wndr3700v2.
> I am able to capture packets on phy0, interface.
> But what should I do to capture packets on phy0,phy1 simultaneously in the
> same program ?
>
> I don't think I
If you are willing to do this on a regular basis, the junkie sniffer [1]
(build atop libpcap) can do this with a somewhat complex command line
such as:
junkie -p /usr/local/lib/junkie/writer.so -i phy0 -i phy1 --file capture.pcap
If you are not doing this regularly, and considering you are doing
On Mon, Nov 28, 2011 at 11:35 AM, abhinav narain
wrote:
> hi,
> I am using libpcap on Openwrt platform, Netgear router wndr3700v2.
> I am able to capture packets on phy0, interface.
> But what should I do to capture packets on phy0,phy1 simultaneously in the
> same program ?
>
> I don't think I ca
hi,
I am using libpcap on Openwrt platform, Netgear router wndr3700v2.
I am able to capture packets on phy0, interface.
But what should I do to capture packets on phy0,phy1 simultaneously in the
same program ?
I don't think I can use "any" interface as it might capture packets from
bridge interfac
48 matches
Mail list logo
