用pcap读取套接字 [英] Socket read with pcap

问题描述

我有一个绑定到NIC的套接字，该套接字用于捕获pcap_loop中的数据包.

I have a socket bound to a NIC that I am using to capture packets in a pcap_loop.

我有一个单独的进程正在运行，最终会在同一设备上进行读取"，但是只有在准备好读取Unix本地管道之后.可以说第二个进程在设备上的read()可以读取所有准备就绪的内容，而不是一次读取一个包，即使我的其他进程设置为使用pcap_loop一次读取一个包也正确吗?

I have a separate process running that eventually does a "read" on that same device, but only after a unix local pipe is ready to be read. Is it correct to say that the read() on the device from the 2nd process will read everything that's ready, not just one packet at a time, even though my other process is set up to use pcap_loop to read a packet at a time?

推荐答案

我有一个绑定到NIC的套接字，该套接字用于捕获pcap_loop中的数据包.

I have a socket bound to a NIC that I am using to capture packets in a pcap_loop.

您说的是"socket"，所以我猜这是Linux(也可能是IRIX，但这可能性要小得多，在两种情况下答案都是相同的；其他OS不在其中使用套接字libpcap，这些操作系统上的本机捕获机制使用套接字以外的机制.

You say "socket", so I'm guessing that this is Linux (it could also be IRIX, but that's a lot less likely, and the answer is the same in either case; other OSes don't use sockets in libpcap, the native capture mechanism on those OSes uses mechanisms other than sockets).

我有一个单独的进程正在运行，最终会在同一设备上进行读取"，但是只有在准备好读取Unix本地管道之后.可以说第二个过程中设备上的read()会读取所有准备就绪的内容，而不是一次读取一个数据包，

I have a separate process running that eventually does a "read" on that same device, but only after a unix local pipe is ready to be read. Is it correct to say that the read() on the device from the 2nd process will read everything that's ready, not just one packet at a time,

不. PF_PACKET套接字一次从read()返回一个数据包.

No. A PF_PACKET socket returns one packet at a time from a read().

顺便说一句，不能保证在同时读取和处理libpcap中的同一套接字的情况下从套接字读取是有效的. Libpcap可能正在使用内存映射机制来获取数据包.除非您已阅读有关内存映射机制如何与其他地方的read()一起工作的文档，或者除非已阅读足够的Linux内核代码以了解其工作原理，否则您可能不希望假定它会以您的方式工作想要.

There is, by the way, no guarantee that reading from the socket with a read and handling the same socket in libpcap at the same time will work. Libpcap might be using the memory-mapped mechanism to get the packets; unless you've seen documentation on how the memory-mapped mechanism works with read()s done elsewhere, or have read the Linux kernel code enough to figure out how it works, you might not want to assume it'll work the way you want.

但是，如果这是FreeBSD(如标记所建议(但未说明))，则libpcap使用的是BPF设备， * NOT * 插座. read()将为您提供整个缓冲的数据包，和libpcap完成的read()将为libpcap提供整个缓冲的数据包，即使碰巧每个数据包调用一次回调也是如此. read()与内存映射访问的相同问题可能会发生，但是默认情况下，libpcap不使用FreeBSD更高版本中的内存映射BPF.

If, however, this is FreeBSD, as suggested (but not stated) by the tag, then what libpcap is using is a BPF device, *NOT* a socket. A read() will give you an entire bufferful of packets, and the read()s done by libpcap will give libpcap an entire bufferful of packets, even if it happens to call your callback once per packet. The same issues of read() vs. memory-mapped access could occur, but the memory-mapped BPF in later versions of FreeBSD isn't, by default, used by libpcap.

这篇关于用pcap读取套接字的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！