Hello,
I have a problem where my app pipes the output of tcpdump over a
network connection and on slower connections it appears that libpcap
sometimes doesn't write out the whole packet data segment. I believe
this is being caused by the lack of error checking in pcap_dump():
(0.9.4) savefile.c
1167 void
1168 pcap_dump(u_char *user, const struct pcap_pkthdr *h, const
u_char *sp)
1169 {
1170 register FILE *f;
1171 struct pcap_sf_pkthdr sf_hdr;
1172
1173 f = (FILE *)user;
1174 sf_hdr.ts.tv_sec = h->ts.tv_sec;
1175 sf_hdr.ts.tv_usec = h->ts.tv_usec;
1176 sf_hdr.caplen = h->caplen;
1177 sf_hdr.len = h->len;
1178 /* XXX we should check the return status */
1179 (void)fwrite(&sf_hdr, sizeof(sf_hdr), 1, f);
1180 (void)fwrite((char *)sp, h->caplen, 1, f);
1181 }
As far as I can tell fwrite() will occasionally write short. I'm
assuming because my pipe is "backed up" and libpcap can't write
anymore data to it (though I would expect it to block in that case,
so I'm not really sure what's causing it to temporarily write short
data).
Is there any plan to change this behavior? It would be useful to me
if it retried and wrote out the rest of the data, since I'm going to
lose packets anyway, it would be nice if the output wasn't corrupted
too.
Any info appreciated.
Thanks,
Cove
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
