<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<META content="MSHTML 6.00.2900.3132" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Hello,</SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"> </P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I have been doing some
experimenting using WinPcap to read packets from a non-aggregating network
line tap. This tap provides two feeds from one network cable to two network
interface cards. It splits the bidirectional network traffic into two
separate streams, north bound and south bound.</SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"> </P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I have tried several methods of
re-combining the two streams back into one, but have not 100 percent
success. The traffic on the network that I am analyzing is of the Request :
Response type. The problem that I am having is that occasionally the application
receives a Response before it receives its matching Request, and therefore the
Response gets discarded. The timestamps on the pcap headers are correct, the
packets are coming from the line tap into the driver correctly, but the driver
is delivering them to my application out of order. </SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"> </P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">The method that has achieved the
best success so far is as follows : <?xml:namespace prefix = o ns =
"urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Using two threads, one reading from
each adapter, here is the code flow -<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt">AdapterHandle
= pcap_open_live(<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes">
</SPAN>Device->name,<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes">
</SPAN>2048, <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes">
</SPAN>PCAP_OPENFLAG_PROMISCUOUS,<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt; TEXT-INDENT: 0.5in"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes">
</SPAN>-1, <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes">
</SPAN>ErrorBuffer);<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt">pcap_setmintocopy(AdapterHandle,
1); <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt">Events[0]
= ShutdownSemaphore;<SPAN
style="mso-spacerun: yes">
</SPAN>// set when application stops <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt">Events[1]
= pcap_getevent(AdapterHandle);<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt">while
(TRUE)<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt">{<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes"> </SPAN>EN = WaitForMultipleObjects(2,
&Events[0], FALSE, INFINITE);<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes"> </SPAN>if (EN == WAIT_OBJECT_0 +
1)<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes"> </SPAN>{<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes"> </SPAN>RV =
pcap_next_ex(AdapterHandle, <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes">
</SPAN>&Header, <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes">
</SPAN>(const unsigned char **) &Data);<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes"> </SPAN>}<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes"> </SPAN>else if (EN ==
WAIT_OBJECT_0)<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes"> </SPAN>{<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes"> </SPAN>break;<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-spacerun: yes"> </SPAN>}<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt">//
process the data<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt">…<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt">…<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt">}<SPAN
style="mso-spacerun: yes"> </SPAN>//<SPAN style="mso-spacerun: yes">
</SPAN>while (TRUE)<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt">The
application must process tens of thousands of packets per second, so that
reordering the packets by timestamp is not possible. <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt">Does
anyone have any suggestions on how to guarantee that my application will receive
the packets in the correct order ?<SPAN style="mso-spacerun: yes">
</SPAN>Thank you.</SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"></SPAN> </P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt">Best
regards,</SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"></SPAN> </P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt">Bob</SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-bidi-font-size: 12.0pt"><o:p></o:p></SPAN> </P></FONT></DIV></BODY></HTML>