[Winpcap-users] pcap_next_ex starts returning timeout after 4+ hours of capture

Gianluca Varenni Gianluca.Varenni at riverbed.com
Sun Feb 24 12:02:41 PST 2013


Ty,

have you tried with the 32bit version of Wireshark? Are you able to replicate the issue with a small c/C++ app?

Have a nice day
GV

From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Bekiares Tyrone-CTB041
Sent: Sunday, February 24, 2013 6:42 AM
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] pcap_next_ex starts returning timeout after 4+ hours of capture

As an added note, I ran Wireshark alongside the capture on the same machine with wireshark configured to save packets into two rotating 1GB files ('ring' file capture), and Wireshark did not stop receiving packets at the 4+ hour mark, while my app did.

Wireshark is 64bit, my app is 32. Would there be any strange maximum data captured limits in 32bit?

Thanks,
Ty

From: Bekiares Tyrone
Sent: Saturday, February 23, 2013 11:16 PM
To: 'winpcap-users at winpcap.org'
Subject: RE: pcap_next_ex starts returning timeout after 4+ hours of capture

One further note:

This is a HP Z400 workstation running Win7SP1/64bit capturing from an Intel Gigabit CT2 desktop adapter.

The app itself is 32bit.

tb

From: Bekiares Tyrone
Sent: Saturday, February 23, 2013 8:46 PM
To: 'winpcap-users at winpcap.org'
Subject: pcap_next_ex starts returning timeout after 4+ hours of capture

Hi,

I'm using winpcap to capture a ~3mb/s stream of UDP packets. We need to capture for long periods (e.g., 24 hours); our application processes the payload, extracts statistics, and logs the statistics to disk over time. This usually works for about 4 or so hours, and then repeated calls to pcap_next_ex() return timeout (no data), and finally stop returning altogether (block). Notably, I'm certain data is still coming in (I can see it in wireshark).

The app is written in java, and I've written a JNI interface in VS2010 which bridges Java to the winpcap.dll API. I believe we are seeing the problem on a relatively modern HP workstation w/ built-in Intel GB/s NICs, under Win7/64, running WinPcap 4.1.2.

I open the device as follows:
pcap = pcap_open(adapterName, 65536,  PCAP_OPENFLAG_PROMISCUOUS,  1000,  NULL,  NULL);

I then set the following filter:
"(ip and udp) and (udp[8] & 0xEF = 0x80)" // RTP packets
Using:
pcap_compile()
and
pcap_setfilter()

I then continually call
pcap_next_ex()
and memcpy the resulting data into a reused memory buffer which is passed up to java through JNI NIO Direct Buffers.

This all works splendidly well until 4+ hours of capture, at which point pcap_next_ex() starts continually returning timeouts, and then eventually just blocks altogether.

I am not setting pcap_setmintocopy().

If I monitor the memory usage of my java process, there does not appear to be a memory leak.

Any ideas? Presumably, winpcap should support long captures without issue? Anyone experience something similar?

Thanks,
Ty



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20130224/b4a88917/attachment.html>


More information about the Winpcap-users mailing list