Ethereal-users: Re: [Ethereal-users] Is there any difference in the way capture works in etherea

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Tue, 06 Sep 2005 10:33:59 -0700
Jayanna, Jay wrote:
I wanted to know if there was any difference between the way capture is implemented in ethereal & tethereal. It would be very helpful if anyone could answer this.
Why do you ask? It sounds as if you're seeing some behavior you don't want to see, and are either seeing it in Tethereal but not Ethereal or are seeing it in Ethereal but not Tethereal.
There are some differences - the timeout in the pcap_open_live() call is 1 second in Tethereal (same as in tcpdump) but 1/4 second in Ethereal, as, on some platforms, the timeout is used to arrange that Ethereal can periodically poll for user input while capturing. On other platforms, the capture loop in Ethereal has a select() call to wait for input or for 1/4 second to elapse.
In addition, in Ethereal, a child process captures and writes the packets to a file; that process handles user input from the capture window (the window with the packet percentage bars and "Stop" button). In an "Update list of packets in real time" capture, the main process is reading from that file and updating the display; that process handles user input in the main window.
Ultimately, the child process should probably be a small process that does no UI, with the parent process (the main process) handling all windows; that way, on platforms where you need root privileges to capture packets, the child process can run as root, with the parent process not having, and never having, root privilege. The child process might then not have to poll for input, and its capture loop could be less complicated. (If we add support for simultaneous capture on multiple interfaces, the child process could do select()s on multiple libpcap streams in UN*X - with a timeout to work around BPF bugs with select() on many BSDs - and WaitForMultipleEvents() on multiple WinPcap streams on Windows, as I *think* a bug in older WinPcaps where the call to get the waitable handle for captures didn't work on Windows NT is fixed in WinPcap 3.1.)