StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
15991025
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2013-04-13T17:57:05.097
FavoriteCount
0
LastActivityDate
2013-04-13T17:57:05.097
LastEditDate
LastEditorUserId
0
OwnerUserId
0
ParentId
15979033
PostTypeId
2
Score
2
ViewCount
0
LastEditorDisplayName
text
Body
<blockquote> Is there some way to disable this buffering on libpcap </blockquote> There's currently no libpcap API to do that. However, depending on what OS you're running, there may be ways to do it for that particular OS, i.e. you can do it, but in a non-portable fashion. For systems that use BPF, including *BSD and... ...OS X, which, given the <code>"en0"</code>, I suspect you're using, the way to do it is to do something such as: Creating a <code>set_immediate_mode.h</code> header file containing: <pre><code>extern int set_immediate_mode(int fd); </code></pre> Creating a <code>set_immediate_mode.c</code> source file containing: <pre><code>#include <sys/types.h> #include <sys/time.h> #include <sys/ioctl.h> #include <net/bpf.h> #include "set_immediate_mode.h" int set_immediate_mode(int fd) { int on = 1; return ioctl(fd, BIOCIMMEDIATE, &on); } </code></pre> Adding <code>#include <string.h></code> and <code>#include <errno.h></code> to your program if it's not already including those files, adding <code>#include "set_immediate_mode.h"</code> to your program, and adding, after the <code>pcap_open_live()</code> call succeeds, the following code: <pre><code>int fd; fd = pcap_fileno(handle); if (fd == -1) { fprintf(stderr, "Can't get file descriptor for pcap_t (this should not happen)\n"); return 2; } if (set_immediate_mode(fd) == -1) { fprintf(stderr, "BIOCIMMEDIATE failed: %s\n", strerror(errno)); return 2; } </code></pre> That will completely disable the buffering that BPF normally does (that's the buffering you're seeing with libpcap; see the BPF(4) man page), so that packets are delivered as soon as they arrive. That changes the way buffering is done in ways that might cause BPF's internal buffers to fill up faster than they would if the normal buffering is done, so that might cause packets to be lost when they wouldn't otherwise be lost, but using <code>pcap_set_buffer_size()</code>, as suggested by Kiran Bandla, could help that if it happens (which it might not, especially given that you're using a filter to keep "uninteresting" packets from being put into BPF's buffer in the first place). On Linux, this is currently not necessary - what buffering is done doesn't have a timeout for the delivery of packets. On Solaris, it would be done similarly on Solaris 11 (as libpcap uses BPF), but would be done differently on earlier versions of Solaris (as they didn't have BPF and libpcap uses DLPI). On Windows with WinPcap, <code>pcap_open()</code> has a flag for that. A future version of libpcap will probably have an API for this; I can't promise when that will happen.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POlibpcap not receiving in real time, seems to be buffering packets
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. This table or related slice is empty.
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POlibpcap not receiving in real time, seems to be buffering packets
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTAcceptedByOriginator
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.