[prev in list] [next in list] [prev in thread] [next in thread]
List: winpcap-users
Subject: Re: [Winpcap-users] How can
From: "Gianluca Varenni" <gianluca.varenni () cacetech ! com>
Date: 2009-05-26 17:22:25
Message-ID: 854C0BF42E5D4720B2EC47030BB5E70C () nelson2
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Sorry for jumping in this conversation late.
Please be aware that WinPcap does *not* overwrite older packets with new ones. If the \
kernel buffer (or the user buffer) is full, newer packets are simply dropped.
Have a nice day
GV
----- Original Message -----
From: Alan Jay Weiner
To: winpcap-users@winpcap.org
Sent: Tuesday, May 26, 2009 9:27 AM
Subject: Re: [Winpcap-users] How can igetthenew-estpacketfrombuffer?HELPPLEASE~!
I presume the packets contain some kind of status conditions and you're doing \
something based on the latest status.
What about using small buffers? The older data is overwritten by newer data - if \
the buffer is only large enough for 1 or 2 packets, you'll get the 1 or 2 most-recent \
packets. All the other packets will be lost, but that seems ok in your situation.
How many of the most-recent packets do you need? Is it sufficient to have only \
the most-recent packet?
- Al Weiner -
----------------------------------------------------------------------------
Alan Jay Weiner / Valid8.com, Inc. - Conform, Perform & Excel(tm)
500 W Cummings Park, Suite #2700, Woburn, MA 01801, USA
a.weiner@valid8.com / Tel:+1-781-938-1221 x112, Fax +1-781-207-0550
http://www.VALID8.com
------------------------------------------------------------------------------
From: winpcap-users-bounces@winpcap.org [mailto:winpcap-users-bounces@winpcap.org] \
On Behalf Of rst Sent: Tuesday, May 26, 2009 5:19 AM
To: winpcap-users@winpcap.org
Subject: Re: [Winpcap-users] How can i getthenew-estpacketfrombuffer?HELPPLEASE~!
The machine always sending packets , never stop.
and my computer only connected with the machine (using a crossover network cable).
so every packets I get are what I wanted, but only the newest packet I need.
Machine ----(Sending packets)---> My Computer .........................every \
0.000005 second
My Application ----(Get the newest packet)---> Get information to do \
control...................every 0.0001 second
if the buffer can contrain 10000 packets,
0.000005 * 10000 = 0.05 second,
so I can only get the information before 0.05 second,
but in my realtime control, i must get the information less than 0.0001 second.
so have any ideas?
Really thank you!!
If the other machine is sending a constant 200,000 packets per second and won't \
slow down, you may be out of luck. However, if the other machine sends 200,000 \
packet per second for a short burst (say 10 seconds), then you should be able to \
store those 2M packets into your own memory space. After you store the packets, you \
can do your analysis.
For a quick test, just change your control loop to do...
static int counter;
pcap_next_ex(...);
counter++;
That is, don't do anything with the packet (other than advance the buffer and \
count how many you receive). This will tell you how fast your machine can move \
through the buffer.
If this works well, then you need to do a memcpy() of the packet into \
pre-allocated space (i.e. malloc your own circular queue). This will slow down the \
loop, but should be much faster than 0.1ms.
Last question: Most packet capturing applications need to decode EVERY packet, \
are you saying that you do NOT need to decode every packet? If not, how do you know \
which packets you need to decode and which ones you don't?
DC
------------------------------------------------------------------------------
_______________________________________________
Winpcap-users mailing list
Winpcap-users@winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:st1 =
"urn:schemas-microsoft-com:office:smarttags"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16825" name=GENERATOR><!--[if !mso]>
<STYLE>v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
</STYLE>
<![endif]--><o:SmartTagType name="country-region"
namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType \
name="PostalCode"
namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType \
name="State"
namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType \
name="City"
namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType \
name="place"
namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType \
name="Street"
namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType \
name="address"
namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType \
name="PersonName"
namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><!--[if \
!mso]> <STYLE>
st1\:*{behavior:url(#default#ieooui) }
</STYLE>
<![endif]-->
<STYLE>
<!--
/* Font Definitions */
@font-face
{font-family:PMingLiU;
panose-1:2 1 6 1 0 1 1 1 1 1;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@PMingLiU";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:PMingLiU;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-US vLink=purple link=blue bgColor=white>
<DIV><FONT size=2>Sorry for jumping in this conversation late.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Please be aware that WinPcap does *not* overwrite older
packets with new ones. If the kernel buffer (or the user buffer) is full, newer
packets are simply dropped.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Have a nice day</FONT></DIV>
<DIV><FONT size=2>GV</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 \
2px solid; MARGIN-RIGHT: 0px"> <DIV style="FONT: 10pt arial">----- Original Message \
----- </DIV> <DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=a.weiner@valid8.com href="mailto:a.weiner@valid8.com">Alan Jay
Weiner</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, May 26, 2009 9:27 AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [Winpcap-users] How can
igetthenew-estpacketfrombuffer?HELPPLEASE~!</DIV>
<DIV><BR></DIV>
<DIV class=Section1>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">I presume the packets
contain some kind of status conditions and you’re doing something based on the
latest status.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: \
Arial"><o:p> </o:p></SPAN></FONT></P> <P class=MsoNormal><FONT face=Arial \
color=navy size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: \
Arial">What about using small buffers? The older data is overwritten by newer \
data - if the buffer is only large enough for 1 or 2 packets, you’ll get the 1 or 2 \
most-recent packets. All the other packets will be lost, but that seems
ok in your situation.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: \
Arial"><o:p> </o:p></SPAN></FONT></P> <P class=MsoNormal><FONT face=Arial \
color=navy size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: \
Arial">How many of the most-recent packets do you need? Is it \
sufficient to have only the most-recent packet?<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: \
Arial"><o:p> </o:p></SPAN></FONT></P> <P class=MsoNormal><FONT face=Arial \
color=navy size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: \
Arial"><o:p> </o:p></SPAN></FONT></P> <P class=MsoNormal><FONT face=Arial \
color=navy size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">- \
Al Weiner
-<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: \
Arial"><o:p> </o:p></SPAN></FONT></P> <DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=navy size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: navy; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><FONT color=navy><SPAN style="COLOR: \
navy"><o:p></o:p></SPAN></FONT></P> <P class=MsoNormal><FONT face=Arial color=navy \
size=2><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: \
Arial">----------------------------------------------------------------------------<BR>Alan \
Jay Weiner / Valid8.com, Inc. - Conform, Perform & Excel(tm)<BR>500 W
Cummings Park, <st1:address w:st="on"><st1:Street w:st="on">Suite
#</st1:Street>2700</st1:address>, <st1:place w:st="on"><st1:City
w:st="on">Woburn</st1:City>, <st1:State w:st="on">MA</st1:State>
<st1:PostalCode w:st="on">01801</st1:PostalCode>, <st1:country-region
w:st="on">USA</st1:country-region></st1:place><BR><A
href="mailto:a.weiner@valid8.com">a.weiner@valid8.com</A> /
Tel:+1-781-938-1221 x112, Fax +1-781-207-0550<BR><A
href="http://www.VALID8.com">http://www.VALID8.com</A> </SPAN></FONT><FONT
color=navy><SPAN style="COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=navy size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: navy; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT
face=PMingLiU size=3><SPAN style="FONT-SIZE: 12pt">
<HR tabIndex=-1 align=center width="100%" SIZE=2>
</SPAN></FONT></DIV>
<P class=MsoNormal><B><FONT face=Tahoma size=2><SPAN
style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: \
Tahoma">From:</SPAN></FONT></B><FONT face=Tahoma size=2><SPAN style="FONT-SIZE: \
10pt; FONT-FAMILY: Tahoma"> winpcap-users-bounces@winpcap.org \
[mailto:winpcap-users-bounces@winpcap.org] <B><SPAN style="FONT-WEIGHT: bold">On \
Behalf Of </SPAN></B>rst<BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> \
Tuesday, May 26, 2009 5:19 AM<BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> \
<st1:PersonName w:st="on">winpcap-users@winpcap.org</st1:PersonName><BR><B><SPAN
style="FONT-WEIGHT: bold">Subject:</SPAN></B> Re: [Winpcap-users] How can i
getthenew-estpacketfrombuffer?HELPPLEASE~!</SPAN></FONT><o:p></o:p></P></DIV>
<P class=MsoNormal><FONT face=PMingLiU size=3><SPAN
style="FONT-SIZE: 12pt"><o:p> </o:p></SPAN></FONT></P>
<DIV>
<P class=MsoNormal><FONT face=PMingLiU size=2><SPAN
style="FONT-SIZE: 10pt">The machine always sending packets , never
stop.</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=PMingLiU size=2><SPAN
style="FONT-SIZE: 10pt">and my computer only connected with the machine (using
a crossover network cable).</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=PMingLiU size=2><SPAN style="FONT-SIZE: 10pt">so
every packets I get</SPAN></FONT><FONT face="Times New Roman" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Times New Roman'"> </SPAN></FONT><FONT
size=2><SPAN style="FONT-SIZE: 10pt">are what I wanted, but only the newest
packet I need.</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><FONT face=PMingLiU size=2><SPAN
style="FONT-SIZE: 10pt">Machine ----(Sending packets)---> My
Computer</SPAN></FONT><FONT face="Times New Roman" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><FONT size=2><SPAN style="FONT-SIZE: 10pt"> \
.........................every 0.000005 second</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><FONT face=PMingLiU size=2><SPAN style="FONT-SIZE: 10pt">My
Application ----(Get the newest packet)---> Get information to do
control...................every 0.0001
second</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><FONT face=PMingLiU size=2><SPAN style="FONT-SIZE: 10pt">if
the buffer can contrain 10000 packets,</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=PMingLiU size=2><SPAN
style="FONT-SIZE: 10pt">0.000005 * 10000 = 0.05
second,</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=PMingLiU size=2><SPAN style="FONT-SIZE: 10pt">so
I can only get the information before 0.05
second,</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=PMingLiU size=2><SPAN
style="FONT-SIZE: 10pt">but in my realtime control, i must get the information
less than 0.0001 second.</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><FONT face=PMingLiU size=2><SPAN style="FONT-SIZE: 10pt">so
have any ideas?</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><FONT face=PMingLiU size=2><SPAN
style="FONT-SIZE: 10pt">Really thank you!!</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><o:p></o:p></P></DIV> <BLOCKQUOTE
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; \
PADDING-LEFT: 4pt; PADDING-BOTTOM: 0in; MARGIN: 5pt 0in 5pt 3.75pt; BORDER-LEFT: \
black 1.5pt solid; PADDING-TOP: 0in; BORDER-BOTTOM: medium none"> <DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">If the other machine is sending
a constant 200,000 packets per second and won't slow down, you may be out of
luck. However, if the other machine sends 200,000 packet per second
for a short burst (say 10 seconds), then you should be able to store those
2M packets into your own memory space. After you store the packets,
you can do your analysis.</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">For a quick test, just change
your control loop to do...</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">static int
counter;</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: \
Arial">pcap_next_ex(...);</SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: \
Arial">counter++;</SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">That is, don't do anything with
the packet (other than advance the buffer and count how many you
receive). This will tell you how fast your machine can move
through the buffer.</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">If this works well, then you
need to do a memcpy() of the packet into pre-allocated space (i.e. malloc
your own circular queue). This will slow down the loop, but should be
much faster than 0.1ms.</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Last question: Most packet
capturing applications need to decode EVERY packet, are you saying that you
do NOT need to decode every packet? If not, how do you know which
packets you need to decode and which ones you
don't?</SPAN></FONT><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New \
Roman'"> </SPAN></FONT><o:p></o:p></P></DIV> <DIV>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: \
Arial">DC</SPAN></FONT><o:p></o:p></P></DIV></BLOCKQUOTE></DIV> <P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>
_______________________________________________
Winpcap-users mailing list
Winpcap-users@winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic