All geek questions in one place

Does recv remove packets from pcaps buffer?

Say there are two programs running on a computer (to simplify, the only user programs running on Linux), one of which calls recv (), and one of which uses pcap to detect incoming packets. The package arrives, and it is determined by both a program using pcap and a program using recv. But is there any case (for example recv () returning between pcap_next () calls in which one of these two packets does not receive the packet?

I really don’t understand how the buffering system works, therefore, the more detailed the explanation, the better - is there any conceivable case when one of these programs sees a package that the other does not have? And if so, what is it and how can I prevent it?

+3
source share
1 answer

AFAIK, there are times when you can get data, while others do not (in both directions). It’s possible that I have some details, but I’m sure that someone will correct me.

Pcap uses various mechanisms for sniffing interfaces, but here's how the general case works:

  • The network card receives the packet (driver is notified via interrupt)
  • The kernel puts this packet in the appropriate listening queues: for example,
    • TCP stack.
    • Bridge driver if the interface is connected to the bridge.
    • The interface used by PCAP (raw socket connection).
  • These buffers are flushed independently of each other:
    • As you build TCP streams and transfer data to processes.
    • When the bridge sends a packet to the corresponding connected interfaces.
    • PCAP .

, , . , ( , , ). , Ethernet, .

, , . , . Google , , .

, , . Netgraph . , ( , ).

+2

Source: https://habr.com/ru/post/1794520/

More articles:


All Articles