Wireshark-users: Re: [Wireshark-users] take over responsibility of the pcap_pkthdr *

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 23 Jan 2011 01:09:27 -0800
On Jan 22, 2011, at 9:36 PM, Andrej van der Zee wrote:

> I have a question about the callback pcap_handler that is called for
> each packet.

If you mean the callback for pcap_loop() and pcap_dispatch(), that's a question best asked on tcpdump-workers@xxxxxxxxxxx ("tcpdump-workers" could, in theory, be split into four mailing lists - tcpdump-users, tcpdump-dev, libpcap-users, and libpcap-dev - but it isn't).

> I assume that each pcap_pkthdr * is released by pcap
> after the callback returns.

Yes.

> Is it by any means possible to take over
> responsibility of the pcap_pkthdr *?

No.  There is *no* guarantee that either the "struct pcap_pkthdr" pointed to by the second argument to the callback or the pile of raw packet data pointed to by the third argument to the callback is valid after the callback returns; if you want a version of either of those that remains valid after the callback returns, you will have to make a copy of it.  (Note that the header or the data might be in a memory-mapped buffer shared between the kernel and userland; if so, the userland code could release it to the kernel as soon as the callback returns, so that userland doesn't hang onto a kernel buffer resource indefinitely - it's not as if they're necessarily copied into a purely-userland buffer by a read/recvfrom/getmsg/whatever, so that userland could somehow reference-count them.)