是否在Ubuntu 14.04 LTS上实现了pcap_stats?

时间:2016-04-11 19:54:23

标签: c++ c sockets ubuntu libpcap

阅读pcap手册页,我看到关于pcap_stats()的这个模糊:

  

统计信息在所有平台上的行为都不一样。 ps_recv可能会计算数据包是否通过任何带有pcap_setfilter(3PCAP)的过滤器集,或者它可能只计算通过过滤器的数据包。它还可以可能,或者可能不会计算丢失的数据包,因为当它们到达时操作系统的缓冲区中没有空间。 ps_drop并非在所有平台上都可用;它在没有的平台上为零。如果数据包过滤是在libpcap中完成的,而不是在操作系统中完成,那么它将计算未通过过滤器的数据包。 ps_recv和ps_drop 都可能或可能不会计算尚未从操作系统读取的数据包,因此应用程序尚未看到这些数据包。 ps_ifdrop 可能会,也可能不会,实施;如果它为零,则可能意味着接口没有丢弃数据包,或者可能意味着统计信息不可用,因此不应将其视为接口未丢弃任何数据包的指示。

所有这些“可能或可能不会”条款并没有真正激发人们对这个函数调用给我任何有用的信心。

有没有人知道Ubuntu 14.04 LTS是否以有意义的方式支持pcap_stats()调用?

1 个答案:

答案 0 :(得分:1)

  

所有这些"可能会或可能不会" 条款并没有真正激发人们对这个函数调用给我任何有用的信心。

这就是意图。 libpcap位于许多不同的底层数据包捕获机制之上,这些机制在提供统计数据的能力方面各不相同 - 不幸的是,pcap_stats()不能指出哪些统计数据有效,指示数据包的计数位置。

  

有没有人知道Ubuntu 14.04 LTS是否以有意义的方式支持pcap_stats()调用?

内核版本很重要,因为它控制着libpcap运行的数据包捕获代码。 The 14.04.4 release will have a 4.2 kernel

14.04也appears to have libpcap 1.5.3。在libpcap 1.5.3中引用pcap-linux.c中的注释:

     * On systems where the PACKET_STATISTICS "getsockopt()"
     * argument is supported on PF_PACKET sockets:
     *
     *  "ps_recv" counts only packets that *passed* the
     *  filter, not packets that didn't pass the filter.
     *  This includes packets later dropped because we
     *  ran out of buffer space.
     *
     *  "ps_drop" counts packets dropped because we ran
     *  out of buffer space.  It doesn't count packets
     *  dropped by the interface driver.  It counts only
     *  packets that passed the filter.
     *
     *  See above for ps_ifdrop. 
     *
     *  Both statistics include packets not yet read from
     *  the kernel by libpcap, and thus not yet seen by
     *  the application.
     *
     * In "linux/net/packet/af_packet.c", at least in the
     * 2.4.9 kernel, "tp_packets" is incremented for every
     * packet that passes the packet filter *and* is
     * successfully queued on the socket; "tp_drops" is
     * incremented for every packet dropped because there's
     * not enough free space in the socket buffer.
     *
     * When the statistics are returned for a PACKET_STATISTICS
     * "getsockopt()" call, "tp_drops" is added to "tp_packets",
     * so that "tp_packets" counts all packets handed to
     * the PF_PACKET socket, including packets dropped because
     * there wasn't room on the socket buffer - but not
     * including packets that didn't pass the filter.
     *
     * In the BSD BPF, the count of received packets is
     * incremented for every packet handed to BPF, regardless
     * of whether it passed the filter.
     *
     * We can't make "pcap_stats()" work the same on both
     * platforms, but the best approximation is to return
     * "tp_packets" as the count of packets and "tp_drops"
     * as the count of drops.
相关问题
最新问题