["Jayanna, Jay" <jjayanna@xxxxxxxxxxxx>]

Thank you for the quick reply.

I am asking this because I'm finding different sort of behavior between
tethereal & ethereal while I'm capturing on a pipe. 

I am trying to implement remote capturing. I capture the required
packets from remote machines. Send the packet along with the timing info
(pinfo->fd->abs_secs and pinfo->fd->abs_usecs) to a central machine over
a socket connection. On my central machine, I receive the packet, put it
in libpcap format & write that into a named pipe. 

When I start capture for the first time, it goes smoothly with both
ethereal & tethereal. But if I stop capture while the remote machines
are still sending packets (which means the central machine will continue
to try to write to the pipe), I get a SIGPIPE error. I have a handler
that basically closes the pipe & reopens it whenever there is a reader.
Pcap_dump_open waits until there is reader. Here is where I am finding
the difference. When I try to restart capture with tethereal, it'll
recognize that there is a reader & continues with the rest of the
capture. But when I restart capture with ethereal, I get the "libpcap
format not recognized" error. But after that I see that the handler
opens the pipe & tries to write to it. 

I am not sure if this is because of the way I'm handling the SIGPIPE
error or if it has got something to do with libpcap or with the way
ethereal capture is implemented. Since it works fine with tethereal, I
wondered if it was something to do with the way capturing is
implemented....I'll check the timeout & see it has anything to do with
this.

Thank you once again for the reply. Please let me know if you have any
idea about this. 

I am using ethereal 0.10.12 on a linux machine (linux 2.4.21).

Thanks,
Jay.


-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Tuesday, September 06, 2005 10:34 AM
To: Ethereal user support
Subject: Re: [Ethereal-users] Is there any difference in the way capture
worksin ethereal & tethereal?

Jayanna, Jay wrote:

> I wanted to know if there was any difference between the way capture
is 
> implemented in ethereal & tethereal. It would be very helpful if
anyone 
> could answer this.

Why do you ask?  It sounds as if you're seeing some behavior you don't 
want to see, and are either seeing it in Tethereal but not Ethereal or 
are seeing it in Ethereal but not Tethereal.

There are some differences - the timeout in the pcap_open_live() call is

1 second in Tethereal (same as in tcpdump) but 1/4 second in Ethereal, 
as, on some platforms, the timeout is used to arrange that Ethereal can 
periodically poll for user input while capturing.  On other platforms, 
the capture loop in Ethereal has a select() call to wait for input or 
for 1/4 second to elapse.

In addition, in Ethereal, a child process captures and writes the 
packets to a file; that process handles user input from the capture 
window (the window with the packet percentage bars and "Stop" button). 
In an "Update list of packets in real time" capture, the main process is

reading from that file and updating the display; that process handles 
user input in the main window.

Ultimately, the child process should probably be a small process that 
does no UI, with the parent process (the main process) handling all 
windows; that way, on platforms where you need root privileges to 
capture packets, the child process can run as root, with the parent 
process not having, and never having, root privilege.  The child process

might then not have to poll for input, and its capture loop could be 
less complicated.  (If we add support for simultaneous capture on 
multiple interfaces, the child process could do select()s on multiple 
libpcap streams in UN*X - with a timeout to work around BPF bugs with 
select() on many BSDs - and WaitForMultipleEvents() on multiple WinPcap 
streams on Windows, as I *think* a bug in older WinPcaps where the call 
to get the waitable handle for captures didn't work on Windows NT is 
fixed in WinPcap 3.1.)

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users