Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does pcap unix buffering work?

Tags:

c

operating-system

buffer

kernel

packet

Hypothetical scenario: A udp packet stream arrives at machine X, which is running two programs - one which is listening for the packets with recv(), and another which is running pcap.

In this case, as I understand it, the packets are stored in the interface until it is polled by the kernal, which then moves them into a buffer in the kernals memory, and copies the packets into another two buffers - one buffer for the program listening with recv, and one buffer for the program listening with pcap. The packets are removed from the respective buffer when they are read - either by pcap_next() or recv(), the next time the process scheduler runs them (I assume they are blocking in this case). Is this correct? Are there really 4 buffers used, or is it handled some other way?

I'm looking for a description, as detailed as possible, as to what buffers are really involved in this case, and how packets move from one to the other (e.g. does a packet get copied to pcaps buffer before it goes to the recv buffer, after, or undefined?).

I know this seems like a big question, but all I really care about is where the packet gets stored, and how long it stays there for. Bullet points are fine. Ideally I'd like a general answer, but if it varies between OS I'm most interested in Linux.

like image 258
Benubird Avatar asked Feb 23 '11 18:02

Benubird

1 Answers

Linux case (BSD's are probably somewhat similar, using mbufs instead of skbuffs):

Linux uses skbuffs (socket buffers) to buffer network data. A skbuff has metadata about some network data, and some pointers to that data.

Taps (pcap users) create clones of skbuffs. A clone is a new skbuff, but it points to the same data. When someone needs to modify data shared by several skbuffs (the original skbuff and its clones), it first needs to create a fresh copy (copy-on-write).

When someone doesn't need an skbuff anymore, it kfree_skb()'s it. kfree_skb() decrements a reference count, and when that reference count reaches zero, the skbuff is freed. It's slightly more complicated to account for clones, but this is the general idea.

like image 178
ninjalj Avatar answered Oct 28 '22 20:10

ninjalj
Sign in to Comment

Related questions

Does realloc of memory allocated by C11 aligned_alloc keep the alignment?
Error using insmod "Could not insert module hello_world.ko: Invalid module format"
Unsigned integer bit field shift yields signed integer
Optimization, asserts and release mode
Merging global arrays at link time / filling a global array from multiple compilation units
Get functions names in a shared library programmatically
occasionally missing PTRACE_EVENT_VFORK when running ptrace
GCC compiles leading zero count poorly unless Haswell specified
How does X86 CPU translate an address to an IO such as VGA text buffer?
Is using a structure without all members assigned undefined?
Why does Knuth use this clunky decrement?
Is volatile needed when variable is only read during interrupt
Clang not generating debug info on -g flag
Is ((size_t *)(vec))[-1] a violation of strict-aliasing?
256-bit arithmetic in Clang (extended integers)
What are the semantics of C99's "restrict" with regards to pointers to pointers?
Bit-fields of type other than int?
An example of an embedded project for a single person
How can I limit memory acquired with `malloc()` without also limiting stack?
What is the best library to use when writing GUI applications in C++? [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!