0

I am using the libpcap in my project and use the function pcap_set_buffer_size() to set an initial value. When the ring buffer is full the libpacp statistic shows me that a lot of packets was dropped.

How can I get information about the ring buffer free space?

Yevgeni
  • 1
  • couldn't you just find the right size by dichotomy? – Guillaume D Jul 31 '19 at 07:52
  • I need to get the ring buffer free space every time before call pcap_dispatch() method. Thank you for your question. – Yevgeni Jul 31 '19 at 08:03
  • have you read [this](https://stackoverflow.com/questions/7771963/pcap-dispatch-callback-processing-questions)? hope this helps – Guillaume D Jul 31 '19 at 08:13
  • and why do you want to get the free space size of the ringbuf before a ```pcap_dispatch()``` ? – Guillaume D Jul 31 '19 at 08:17
  • ```When reading packets from an interface opened for a live capture, pcap_dispatch(), pcap_next(), and pcap_next_ex() will, if no packets are currently available to be read, block waiting for packets to become available``` – Guillaume D Jul 31 '19 at 08:18
  • On what operating system are you running your application? Different OSes have different capture mechanisms atop which libpcap runs. – user9065877 Aug 03 '19 at 02:35

1 Answers1

0

from the man pcap:

a size that's too small could mean that, if too many packets are being captured and the snapshot length doesn't limit the amount of data that's buffered, packets could be dropped if the buffer fills up before the application can read packets from it, while a size that's too large could use more non- pageable operating system memory than is necessary to prevent packets from being dropped

The ideal size of the buffer depends on the use case.

What you could do to find this ideal size is by using dichotomy:

  • set a huge but system supported size at first
  • with pcap_stats() to get the number of dropped packets
  • compile again and run.

  • note if you have dropped packets.

  • then set to your current size

  • with pcap_stats() to get the number of dropped packets
  • compile again and run.

  • note if you have dropped packets.

  • then set size to (huge size + current size)/2

  • with pcap_stats() to get the number of dropped packets
  • compile again and run.

  • note if you have dropped packets.

  • ...

Note that you can reduce the amount of buffer use by setting the snapshot lenght with pcap_set_snaplen()

If, when capturing, you capture the entire contents of the packet, that requires more CPU time to copy the packet to your application, more disk and possibly network bandwidth to write the packet data to a file, and more disk space to save the packet. If you don't need the entire contents of the packet - for example, if you are only interested in the TCP headers of packets - you can set the "snapshot length" for the capture to an appropriate value. If the snapshot length is set to snaplen, and snaplen is less than the size of a packet that is captured, only the first snaplen bytes of that packet will be captured and provided as packet data

you can get the current snaplen with shotpcap_snapshot()

Guillaume D
  • 2,202
  • 2
  • 10
  • 37
  • Thank you for your answer but I can not set a new ring buffer size when my application is running and libpcap was initialized before calling of pcap_dispatch() – Yevgeni Jul 31 '19 at 08:57
  • you have to change the size between two compilation. – Guillaume D Jul 31 '19 at 08:59
  • Thank you! In order to change the size of the ring buffer, the only thing I can do is stop the application and set a new size? – Yevgeni Jul 31 '19 at 09:05
  • I mean it is the easiest way by what you shall start with, but I guess you can implement a command to call a ```pcap_set_snaplen()```. – Guillaume D Jul 31 '19 at 09:07
  • The pcap_set_snaplen() only change size of a packet. But my main goal to get information about how much free space is left when my application works. For example, I set the size of the ring buffer 128000000 and got dropped packets – Yevgeni Jul 31 '19 at 09:12