Re: [Libevent-users] how the difference of libevent version 1.4 and 2.0 influence libpcap events?

To: libevent-users@xxxxxxxxxxxxx

Subject: Re: [Libevent-users] how the difference of libevent version 1.4 and 2.0 influence libpcap events?

From: liu wen <caonimagongling@xxxxxxxxx>

Date: Thu, 15 Oct 2015 04:05:29 +0200

Delivered-to: archiver@xxxxxxxx

Delivered-to: libevent-users-outgoing@xxxxxxxx

Delivered-to: libevent-users@xxxxxxxx

Delivery-date: Wed, 14 Oct 2015 22:05:33 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Y70Xl495LQs8WjCGFdMoG0PHNIFflBxbxboC2lcC0T0=; b=y2ht7fVfZYQ73Bob9X2XEzbpinOwY971tbMBjsQSmmt509WGg3PfjASc7hoiD7FKvc bCCQkiNq6sQcq0orqrN8uo9jasp5vRgyIY2J7T6ePQqOihEm9KUyqovza/q81ujJbPrW CW9pqTRlnuaqbHd91+DrjFtaDi9GT8XgZ76SenIOPFyTLWi4nxJpjgjIFVvPx8/+yJtL cbwOWwOyYi/mihxo+fz6NRCCmJkAw/3h7wngTy7/6iBHIl7YpLpkpaue3pJzxPAdxqHw 2ykSNlTsNh8lr8Dnxldj7P/ePk7nsLCoirL4jnpwWF2YhNzEHcM4jmgBQLR/LWWjnqwC 9cgw==

In-reply-to: <CAHdZv9D_rVjZyvxvGhN6v-mgDRbycZTB4+cM8RDUW-mZ3-=r+A@xxxxxxxxxxxxxx>

References: <CA+LZD6BiEL-D327zB9d=-=-PSKY5Es=UfX6Xoc7Sngbt2EF7mw@xxxxxxxxxxxxxx> <CAHdZv9CNcOgWHhg7zMMieedZAZd7ynz7J9XTkCLYascpE9SHDQ@xxxxxxxxxxxxxx> <CAHdZv9D_rVjZyvxvGhN6v-mgDRbycZTB4+cM8RDUW-mZ3-=r+A@xxxxxxxxxxxxxx>

Reply-to: libevent-users@xxxxxxxxxxxxx

Sender: owner-libevent-users@xxxxxxxxxxxxx

I modifiesÂres = pcap_dispatch(handle, -1, collect_pkt, (u_char *)pkt_queue); to Âres = pcap_dispatch(handle, 1, process_pkt, NULL); and tries to process each received packet.

the whole source codes are in capture.tar.gz

I run the program on hostÂÂ192.168.0.106, and open a browser on another host to visit 192.168.0.106:8000

I use tcpdump with the same filter _expression_ as in the capture program to capture the packets (see attachment).

there are 16 packets altogether, but the program only capture 10 packets, that is 3 4 5 8 9 10 11 12 13 15

the on_capture event was triggered for 14 times, in order as below:

* 3 4 5 * 8 * 9 10 11 12 13 * 15

* means theÂpcap_dispatch return 0, for the other numbers(3 4 5 8 9 10 11 12 13 15) Âpcap_dispatch return 1

for the missing 16th packet, it is maybe that I end my program before I close the tcpdump process. so it means my capture program can't capture packet 1 2 6 7 14

why does this happen? why can't my program capture all the packets?Â

On Wed, Oct 14, 2015 at 12:27 AM, Mark Ellzey <mthomas@xxxxxxxxxx> wrote:

On Tue, Oct 13, 2015 at 3:20 PM, Mark Ellzey <mthomas@xxxxxxxxxx> wrote:

There shouldn't be a difference, technically that is. 1.x differs greatly though in functionality, but is backwards compat with 1.x. A few years ago I did a 2.x conversion for some very old code:Âhttps://github.com/ellzey/trafan/blob/master/trafan.cÂwith pcap.

and *many* many years ago I did this which never moved out to 2.x, completely 1.0. But it still works with old/new pcap and libevent as seen here:Â

https://strcpy.net/mark/dns_stuff/dns-sla/dnsm.cÂ
https://strcpy.net/mark/dns_stuff/dns_spoof_watch/dns_spoof_watch.c

But mind you, pcap_dispatch with -1 means you may be processing a ton of packets, all of which call your pcap callback. ÂÂ

All of this was done 9-10 years ago; so no mocking! Â(though it has been ripped and used for profit by certain individuals today, which I find amusing since it's such horrible code)

Attachment: port_8000.pcap
Description: application/vnd.tcpdump.pcap

Attachment: capture.tar.gz
Description: GNU Zip compressed data