pcap_stats 是否在 Ubuntu 14.04 LTS 上实现?
Is pcap_stats implemented on Ubuntu 14.04 LTS?
阅读 pcap 手册页,我看到关于 pcap_stats():
The statistics do not behave the same way on all platforms. ps_recv might count packets whether they passed any filter set with pcap_setfilter(3PCAP) or not, or it might count only packets that pass the filter. It also might, or might not, count packets dropped because there was no room in the operating system's buffer when they arrived. ps_drop is not available on all platforms; it is zero on platforms where it's not available. If packet filtering is done in libpcap, rather than in the operating system, it would count packets that don't pass the filter. Both ps_recv and ps_drop might, or might not, count packets not yet read from the operating system and thus not yet seen by the application. ps_ifdrop might, or might not, be implemented; if it's zero, that might mean that no packets were dropped by the interface, or it might mean that the statistic is unavailable, so it should not be treated as an indication that the interface did not drop any packets.
所有这些“可能会或可能不会”的子句并不能真正激发我对这个函数调用会给我任何有用的东西的信心。
有谁知道 Ubuntu 14.04 LTS 是否以有意义的方式支持 pcap_stats() 调用?
All of these "might or might not" clauses don't really inspire much confidence that this function call is going to give me anything useful.
这就是我们的意图。 libpcap 位于许多不同的底层数据包捕获机制之上,这些机制在提供统计数据的能力上有所不同 - 不幸的是,pcap_stats()计算数据包的位置。
Does anyone know if Ubuntu 14.04 LTS supports the pcap_stats() call in a meaningful way?
内核版本很重要,因为它控制着 libpcap 运行的数据包捕获代码。 The 14.04.4 release will have a 4.2 kernel.
14.04 也 appears to have libpcap 1.5.3。引用libpcap 1.5.3中pcap-linux.c中的注释:
* On systems where the PACKET_STATISTICS "getsockopt()"
* argument is supported on PF_PACKET sockets:
*
* "ps_recv" counts only packets that *passed* the
* filter, not packets that didn't pass the filter.
* This includes packets later dropped because we
* ran out of buffer space.
*
* "ps_drop" counts packets dropped because we ran
* out of buffer space. It doesn't count packets
* dropped by the interface driver. It counts only
* packets that passed the filter.
*
* See above for ps_ifdrop.
*
* Both statistics include packets not yet read from
* the kernel by libpcap, and thus not yet seen by
* the application.
*
* In "linux/net/packet/af_packet.c", at least in the
* 2.4.9 kernel, "tp_packets" is incremented for every
* packet that passes the packet filter *and* is
* successfully queued on the socket; "tp_drops" is
* incremented for every packet dropped because there's
* not enough free space in the socket buffer.
*
* When the statistics are returned for a PACKET_STATISTICS
* "getsockopt()" call, "tp_drops" is added to "tp_packets",
* so that "tp_packets" counts all packets handed to
* the PF_PACKET socket, including packets dropped because
* there wasn't room on the socket buffer - but not
* including packets that didn't pass the filter.
*
* In the BSD BPF, the count of received packets is
* incremented for every packet handed to BPF, regardless
* of whether it passed the filter.
*
* We can't make "pcap_stats()" work the same on both
* platforms, but the best approximation is to return
* "tp_packets" as the count of packets and "tp_drops"
* as the count of drops.
阅读 pcap 手册页,我看到关于 pcap_stats():
The statistics do not behave the same way on all platforms. ps_recv might count packets whether they passed any filter set with pcap_setfilter(3PCAP) or not, or it might count only packets that pass the filter. It also might, or might not, count packets dropped because there was no room in the operating system's buffer when they arrived. ps_drop is not available on all platforms; it is zero on platforms where it's not available. If packet filtering is done in libpcap, rather than in the operating system, it would count packets that don't pass the filter. Both ps_recv and ps_drop might, or might not, count packets not yet read from the operating system and thus not yet seen by the application. ps_ifdrop might, or might not, be implemented; if it's zero, that might mean that no packets were dropped by the interface, or it might mean that the statistic is unavailable, so it should not be treated as an indication that the interface did not drop any packets.
所有这些“可能会或可能不会”的子句并不能真正激发我对这个函数调用会给我任何有用的东西的信心。
有谁知道 Ubuntu 14.04 LTS 是否以有意义的方式支持 pcap_stats() 调用?
All of these "might or might not" clauses don't really inspire much confidence that this function call is going to give me anything useful.
这就是我们的意图。 libpcap 位于许多不同的底层数据包捕获机制之上,这些机制在提供统计数据的能力上有所不同 - 不幸的是,pcap_stats()计算数据包的位置。
Does anyone know if Ubuntu 14.04 LTS supports the pcap_stats() call in a meaningful way?
内核版本很重要,因为它控制着 libpcap 运行的数据包捕获代码。 The 14.04.4 release will have a 4.2 kernel.
14.04 也 appears to have libpcap 1.5.3。引用libpcap 1.5.3中pcap-linux.c中的注释:
* On systems where the PACKET_STATISTICS "getsockopt()"
* argument is supported on PF_PACKET sockets:
*
* "ps_recv" counts only packets that *passed* the
* filter, not packets that didn't pass the filter.
* This includes packets later dropped because we
* ran out of buffer space.
*
* "ps_drop" counts packets dropped because we ran
* out of buffer space. It doesn't count packets
* dropped by the interface driver. It counts only
* packets that passed the filter.
*
* See above for ps_ifdrop.
*
* Both statistics include packets not yet read from
* the kernel by libpcap, and thus not yet seen by
* the application.
*
* In "linux/net/packet/af_packet.c", at least in the
* 2.4.9 kernel, "tp_packets" is incremented for every
* packet that passes the packet filter *and* is
* successfully queued on the socket; "tp_drops" is
* incremented for every packet dropped because there's
* not enough free space in the socket buffer.
*
* When the statistics are returned for a PACKET_STATISTICS
* "getsockopt()" call, "tp_drops" is added to "tp_packets",
* so that "tp_packets" counts all packets handed to
* the PF_PACKET socket, including packets dropped because
* there wasn't room on the socket buffer - but not
* including packets that didn't pass the filter.
*
* In the BSD BPF, the count of received packets is
* incremented for every packet handed to BPF, regardless
* of whether it passed the filter.
*
* We can't make "pcap_stats()" work the same on both
* platforms, but the best approximation is to return
* "tp_packets" as the count of packets and "tp_drops"
* as the count of drops.