[prev in list] [next in list] [prev in thread] [next in thread] 

List:       winpcap-users
Subject:    Re: [Winpcap-users] pcap_next_ex starts returning timeout after 4+	hours of capture
From:       Gianluca Varenni <Gianluca.Varenni () riverbed ! com>
Date:       2013-02-24 20:02:41
Message-ID: 8A9226C4990BF648BD21174A6F44BDFD7597E9D0 () 365EXCH-MBX-P5 ! nbttech ! com
[Download RAW message or body]

Ty,

have you tried with the 32bit version of Wireshark? Are you able to replicate the \
issue with a small c/C++ app?

Have a nice day
GV

From: winpcap-users-bounces@winpcap.org [mailto:winpcap-users-bounces@winpcap.org] On \
                Behalf Of Bekiares Tyrone-CTB041
Sent: Sunday, February 24, 2013 6:42 AM
To: winpcap-users@winpcap.org
Subject: Re: [Winpcap-users] pcap_next_ex starts returning timeout after 4+ hours of \
capture

As an added note, I ran Wireshark alongside the capture on the same machine with \
wireshark configured to save packets into two rotating 1GB files ('ring' file \
capture), and Wireshark did not stop receiving packets at the 4+ hour mark, while my \
app did.

Wireshark is 64bit, my app is 32. Would there be any strange maximum data captured \
limits in 32bit?

Thanks,
Ty

From: Bekiares Tyrone
Sent: Saturday, February 23, 2013 11:16 PM
To: 'winpcap-users@winpcap.org'
Subject: RE: pcap_next_ex starts returning timeout after 4+ hours of capture

One further note:

This is a HP Z400 workstation running Win7SP1/64bit capturing from an Intel Gigabit \
CT2 desktop adapter.

The app itself is 32bit.

tb

From: Bekiares Tyrone
Sent: Saturday, February 23, 2013 8:46 PM
To: 'winpcap-users@winpcap.org'
Subject: pcap_next_ex starts returning timeout after 4+ hours of capture

Hi,

I'm using winpcap to capture a ~3mb/s stream of UDP packets. We need to capture for \
long periods (e.g., 24 hours); our application processes the payload, extracts \
statistics, and logs the statistics to disk over time. This usually works for about 4 \
or so hours, and then repeated calls to pcap_next_ex() return timeout (no data), and \
finally stop returning altogether (block). Notably, I'm certain data is still coming \
in (I can see it in wireshark).

The app is written in java, and I've written a JNI interface in VS2010 which bridges \
Java to the winpcap.dll API. I believe we are seeing the problem on a relatively \
modern HP workstation w/ built-in Intel GB/s NICs, under Win7/64, running WinPcap \
4.1.2.

I open the device as follows:
pcap = pcap_open(adapterName, 65536,  PCAP_OPENFLAG_PROMISCUOUS,  1000,  NULL,  \
NULL);

I then set the following filter:
"(ip and udp) and (udp[8] & 0xEF = 0x80)" // RTP packets
Using:
pcap_compile()
and
pcap_setfilter()

I then continually call
pcap_next_ex()
and memcpy the resulting data into a reused memory buffer which is passed up to java \
through JNI NIO Direct Buffers.

This all works splendidly well until 4+ hours of capture, at which point \
pcap_next_ex() starts continually returning timeouts, and then eventually just blocks \
altogether.

I am not setting pcap_setmintocopy().

If I monitor the memory usage of my java process, there does not appear to be a \
memory leak.

Any ideas? Presumably, winpcap should support long captures without issue? Anyone \
experience something similar?

Thanks,
Ty


[Attachment #3 (text/html)]

<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
	{mso-style-priority:99;
	mso-style-link:"Balloon Text Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:8.0pt;
	font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
	{mso-style-name:"Balloon Text Char";
	mso-style-priority:99;
	mso-style-link:"Balloon Text";
	font-family:"Tahoma","sans-serif";}
span.EmailStyle19
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle20
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle21
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle22
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle23
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Ty,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">have you tried with the 32bit \
version of Wireshark? Are you able to replicate the issue with a small c/C&#43;&#43; \
app?<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"><o:p>&nbsp;</o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D">Have a nice day<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:#1F497D">GV<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:#1F497D"><o:p>&nbsp;</o:p></span></p> <div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span \
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> \
winpcap-users-bounces@winpcap.org [mailto:winpcap-users-bounces@winpcap.org] <b>On \
Behalf Of </b>Bekiares Tyrone-CTB041<br> <b>Sent:</b> Sunday, February 24, 2013 6:42 \
AM<br> <b>To:</b> winpcap-users@winpcap.org<br>
<b>Subject:</b> Re: [Winpcap-users] pcap_next_ex starts returning timeout after \
4&#43; hours of capture<o:p></o:p></span></p> </div>
</div>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">As an added note, I ran Wireshark \
alongside the capture on the same machine with wireshark configured to save packets \
into two rotating 1GB files (&#8216;ring&#8217; file capture), and Wireshark did not \
stop receiving packets  at the 4&#43; hour mark, while my app \
did.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"><o:p>&nbsp;</o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D">Wireshark is 64bit, my app is 32. Would there be any strange \
maximum data captured limits in 32bit? <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Ty<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p>&nbsp;</o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span \
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> \
Bekiares Tyrone <br>
<b>Sent:</b> Saturday, February 23, 2013 11:16 PM<br>
<b>To:</b> 'winpcap-users@winpcap.org'<br>
<b>Subject:</b> RE: pcap_next_ex starts returning timeout after 4&#43; hours of \
capture<o:p></o:p></span></p> </div>
</div>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">One further \
note:<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"><o:p>&nbsp;</o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D">This is a HP Z400 workstation running Win7SP1/64bit capturing \
from an Intel Gigabit CT2 desktop adapter.<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:#1F497D"><o:p>&nbsp;</o:p></span></p> <p \
class="MsoNormal"><span style="color:#1F497D">The app itself is \
32bit.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"><o:p>&nbsp;</o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D">tb<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"><o:p>&nbsp;</o:p></span></p> <div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span \
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> \
Bekiares Tyrone <br>
<b>Sent:</b> Saturday, February 23, 2013 8:46 PM<br>
<b>To:</b> 'winpcap-users@winpcap.org'<br>
<b>Subject:</b> pcap_next_ex starts returning timeout after 4&#43; hours of \
capture<o:p></o:p></span></p> </div>
</div>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt">I&#8217;m using winpcap to \
capture a ~3mb/s stream of UDP packets. We need to capture for long periods (e.g., 24 \
hours); our application processes the payload, extracts statistics, and logs the \
statistics to disk  over time. This usually works for about 4 or so hours, and then \
repeated calls to pcap_next_ex() return timeout (no data), and finally stop returning \
altogether (block). Notably, I&#8217;m certain data is still coming in (I can see it \
in wireshark).<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt"><o:p>&nbsp;</o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt">The app is written in java, and I&#8217;ve written a JNI \
interface in VS2010 which bridges Java to the winpcap.dll API.<span \
style="color:#1F497D"> I believe we are seeing the problem on a relatively modern HP \
workstation  w/ built-in Intel GB/s NICs, under Win7/64, running WinPcap \
4.1.2.<o:p></o:p></span></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt"><o:p>&nbsp;</o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt">I open the device as follows:<o:p></o:p></span></p> <p \
class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt">pcap = \
pcap_open(adapterName, 65536,&nbsp; PCAP_OPENFLAG_PROMISCUOUS,&nbsp; 1000,&nbsp; \
NULL,&nbsp; NULL);<o:p></o:p></span></p> <p class="MsoNormal" \
style="text-autospace:none"><span \
style="font-size:10.0pt"><o:p>&nbsp;</o:p></span></p> <p class="MsoNormal" \
style="text-autospace:none"><span style="font-size:10.0pt">I then set the following \
filter:<o:p></o:p></span></p> <p class="MsoNormal" style="text-autospace:none"><span \
style="font-size:10.0pt">&quot;(ip and udp) and (udp[8] &amp; 0xEF = 0x80)&quot; // \
RTP packets<o:p></o:p></span></p> <p class="MsoNormal" \
style="text-autospace:none"><span \
style="font-size:10.0pt">Using:<o:p></o:p></span></p> <p class="MsoNormal" \
style="text-autospace:none"><span \
style="font-size:10.0pt">pcap_compile()<o:p></o:p></span></p> <p class="MsoNormal" \
style="text-autospace:none"><span style="font-size:10.0pt">and<o:p></o:p></span></p> \
<p class="MsoNormal" style="text-autospace:none"><span \
style="font-size:10.0pt">pcap_setfilter()<o:p></o:p></span></p> <p class="MsoNormal" \
style="text-autospace:none"><span \
style="font-size:10.0pt"><o:p>&nbsp;</o:p></span></p> <p class="MsoNormal" \
style="text-autospace:none"><span style="font-size:10.0pt">I then continually \
call<o:p></o:p></span></p> <p class="MsoNormal" style="text-autospace:none"><span \
style="font-size:9.5pt;font-family:Consolas">pcap_next_ex()<o:p></o:p></span></p> <p \
class="MsoNormal" style="text-autospace:none"><span \
style="font-size:9.5pt;font-family:Consolas">and memcpy the resulting data into a \
reused memory buffer which is passed up to java through JNI NIO Direct \
Buffers.<o:p></o:p></span></p> <p class="MsoNormal" style="text-autospace:none"><span \
style="font-size:9.5pt;font-family:Consolas"><o:p>&nbsp;</o:p></span></p> <p \
class="MsoNormal" style="text-autospace:none"><span \
style="font-size:9.5pt;font-family:Consolas">This all works splendidly well until \
4&#43; hours of capture, at which point pcap_next_ex() starts continually returning \
timeouts, and then eventually just blocks  altogether.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span \
style="font-size:9.5pt;font-family:Consolas"><o:p>&nbsp;</o:p></span></p> <p \
class="MsoNormal" style="text-autospace:none"><span \
style="font-size:9.5pt;font-family:Consolas">I am not setting \
pcap_setmintocopy().<o:p></o:p></span></p> <p class="MsoNormal" \
style="text-autospace:none"><span \
style="font-size:9.5pt;font-family:Consolas"><o:p>&nbsp;</o:p></span></p> <p \
class="MsoNormal" style="text-autospace:none"><span \
style="font-size:9.5pt;font-family:Consolas">If I monitor the memory usage of my java \
process, there does not appear to be a memory leak.<o:p></o:p></span></p> <p \
class="MsoNormal" style="text-autospace:none"><span \
style="font-size:9.5pt;font-family:Consolas"><o:p>&nbsp;</o:p></span></p> <p \
class="MsoNormal" style="text-autospace:none"><span \
style="font-size:9.5pt;font-family:Consolas">Any ideas? Presumably, winpcap should \
support long captures without issue? Anyone experience something \
similar?<o:p></o:p></span></p> <p class="MsoNormal" style="text-autospace:none"><span \
style="font-size:9.5pt;font-family:Consolas"><o:p>&nbsp;</o:p></span></p> <p \
class="MsoNormal" style="text-autospace:none"><span \
style="font-size:9.5pt;font-family:Consolas">Thanks,<o:p></o:p></span></p> <p \
class="MsoNormal" style="text-autospace:none"><span \
style="font-size:9.5pt;font-family:Consolas">Ty<o:p></o:p></span></p> <p \
class="MsoNormal" style="text-autospace:none"><span \
style="font-size:9.5pt;font-family:Consolas"><o:p>&nbsp;</o:p></span></p> <p \
class="MsoNormal" style="text-autospace:none"><span \
style="font-size:10.0pt"><o:p>&nbsp;</o:p></span></p> <p class="MsoNormal" \
style="text-autospace:none"><span \
style="font-size:10.0pt"><o:p>&nbsp;</o:p></span></p> </div>
</body>
</html>



_______________________________________________
Winpcap-users mailing list
Winpcap-users@winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users

--===============2504219721303009252==--

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic