Hi all,
I need to perform packet sniffing on several interfaces at the same
time.
My natural approach would be to open a pcap_t object for each interface
and place a "select" - considering Linux -call to deal with packet
dispatching. My only constraint is that I have to treat the received
packets in chronological order: indeed, I would like to process the data
as it gets to the interfaces, without introducing any reordering. If I
am not mistaken, it might be possible that a "select" call does not read
data in temporal order, if multiple FDs are ready at the time the
process is scheduled for running by the OS. Is that correct ?
A work-around to this problem might be to move the capture on different
threads: each thread has its own pthread_t object and captures traffic
on a different interface. In this case, I do not have a clear picture
about which parts of libpcap are thread-safe and which not (my version
of reference is the 1.1.1); I have found really old posts about
thread-safety issues in pcap_compile and pcap_setfilter (which I would
need: 1 common filter for each thread) but nothing more.
To sum up:
1) Could I/O multiplexing reorder packets during multiple interfaces
sniffing ?
2) Which are the caveats to take into account when capturing from
different interfaces using threads (1 thread per interface, same BPF
filter for each thread) ? Which parts of libpcap are not thread-safe (v.
>= 1.1.1) ?
Thank you
Alberto Balesena
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
