Richard van der Hoff wrote:
The only concern with this would be that dumpcap would presumably then
send a packet count after every packet - which might mean a significant
quantity of data.
Every batch of packets, at least.
Some OSes support packet batching, so that a single read from the
capture device can supply multiple packets; those OSes support a
timeout, so that the read either waits for a full batch or for a timer
to expire, so you don't wait indefinitely for a full batch.
(Note that this timer is *NOT* necessarily started when the read starts;
the timer on SunOS 5.x, for example, starts when the first packet
arrives. I.e., this timer does *NOT* guarantee that a read will wait no
longer than the timeout, and will return at that point if no packets
have arrived; that does *NOT* happen on SunOS 5.x.)
BSDs (including OS X) support that in BPF (AIX's BPF doesn't work
correctly, so the timeout doesn't work and isn't used). As indicated,
SunOS 3.x/4.x/5.x support it, too, as do Digital/Tru64 Unix and Windows
with WinPcap.
Linux, however, doesn't support batching, at least not in PF_PACKET sockets.