Why is there a long delay between pcap_loop() and getting a packet?
I'm using 10000
The to_ms argument to pcap_open_live()
and pcap_set_timeout()
is in milliseconds.
10000 milliseconds is 10 seconds.
Try using 1000, which is the value tcpdump uses - that'll reduce the delay to 1 second - or using 100, which is the value Wireshark uses - that'll reduce the delay to 1/10 second.
I read on a tutorial about this field: " on at least some platforms, this means that you may wait until a sufficient number of packets arrive before seeing any packets, so you should use a non-zero timeout"
The tutorial in question is the tcpdump.org "How to use libpcap" tutorial, and the passage in question was added in this CVS commit:
revision 1.8date: 2005/08/27 23:58:39; author: guy; state: Exp; lines: +34 -31Use a non-zero timeout in pcap_open_live(), so you don't wait for abufferful of packets before any are processed.Correctly explain the difference between pcap_loop() andpcap_dispatch().In sniffex.c, don't print the payload if there isn't any.
so I'm familiar with it. :-)
I'd have to spend some time looking at the Linux kernel code (again) to see what effect a timeout value of 0 would have on newer kernels. However, when writing code that uses libpcap/WinPcap to do live captures, you should always act as if you're writing code for such a platform; your code will then be more portable to other platforms and will not break if the behavior of a zero timeout changes.