Using multiple PcapLiveDevice for same interface

[chetan kumar]

Hello, 

we have a requirement to read packets on the same interface with different filters. however, as PcapLiveDevice constructor is not public, and hence the library doesn't allow us to do the same.

can we simply, make the PcapLiveDevice constructor public (in PcapLiveDevice.h) and use it to create different objects, to read packets from the same interface?

do you see any issue with this approach?

regards

Chetan

[PcapPlusPlus Support]

Hi Chetan,

Thanks for reaching out!

I don't think that libpcap/WinPcap, which is what PcapLiveDevice is using under the hood, support that. I'm not sure you can open multiple handles on the same interface and capture packets on all of them.

I may be wrong, so it's worth checking. But anyway this is currently not supported in PcapPlusPlus.

Thanks,

PcapPlusPlus maintainer

--
You received this message because you are subscribed to the Google Groups "PcapPlusPlus support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pcapplusplus-sup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pcapplusplus-support/bba100ff-32c1-402a-9602-318f0287c446n%40googlegroups.com.

[chetan kumar]

Hi @ PcapPlusPlus maintainer,

I did check and the (atleast) libpcap doesn't say anywhere that it is not possible to sniff on the same interface using multiple pcap handles.
In fact, I also wrote a small program that does the same and it works fine.

there is a similar question on stackoverflow here

I also quickly changed the  PcapLiveDevice constructor to public and tried multiple threads sniffing on the same interface.
it seems to work.
But I am not sure, if in reality everything behind PcapLiveDevice is actually fine.

From an architecture point of view, do you see an issue making the PcapLiveDevice constructor?

regards

Chetan

[PcapPlusPlus Support]

Hi Chetan,

I'm sorry for the late response.

Looking at the StackOverflow question you shared, a few issues comes to mind:

• libpcap in its older versions is not thread safe so things might not work well on these versions
• I'm not sure what happens in WinPcap/Npcap - PcapPlusPlus should support them also
  
• In the other answer it is mentioned that this guy is capturing packets from the same interface but in 2 separate program

Please let me know what you think.

Thanks,

PcapPlusPlus maintainer

To view this discussion on the web visit https://groups.google.com/d/msgid/pcapplusplus-support/8306f380-ae61-4432-8a39-b75204d7b1e8n%40googlegroups.com.

[chetan kumar]

Hi @Pcapplusplus maintainer,

Even I am not sure about the Winpcap/Npcap.

However, as long as each thread uses its own libpcap handle, 

the thread safety issue should be taken care. Is this correct?

Could it be something like, 

allow creating different PcapLiveDevice objects for those platforms (and versions) which supports them?

An application may want to see different kinds of traffic flowing through an interface.

So, it would make sense to have each thread read packets with its own libpcap handle and 

maybe its own filter. Don't you think this is a real need?

As far as I see it, PcapLiveDevice is already doing this (it maintains one handle of libpcap),

So by allowing creation of multiple PcapLiveDevice objects, they each manage their own libpcap handle.

Let me know what you think.

Regards

Chetan

[PcapPlusPlus Support]

Hi Chetan,

To be very honest, I haven't tested a scenario of calling `pcap_findalldevs()` multiple times and using different `pcap_t` handles in different threads that point to the same interface.

This is something that needs to be tested on multiple platforms and various scenarios including setting different filters, capturing/sending packets at the same time in multiple threads, creating a handle with different properties on one thread while the other is capturing packets from a different handle but on the same interface, and probably more scenarios that we need to think about.

Currently PcapPlusPlus doesn't support this scenario, but you're more than welcome to explore it and let me know if it's feasible.

We can also think together on what we need to test in order to decide this way or the other.

Thanks,

PcapPlusPlus maintainer

To view this discussion on the web visit https://groups.google.com/d/msgid/pcapplusplus-support/c3c18b62-15a5-4fd6-ace3-2fcb6dc68f2an%40googlegroups.com.

[Shannon Weyrick]

I have also looked into this (see https://github.com/seladb/PcapPlusPlus/issues/567), and concluded that libpcap does not support capturing from the same interface more than once in the same process - that is, it is not thread safe to do so.

In my own project I plan to supplement libpcap based capture from PcapPlusPlus with linux only AF_PACKET based capture, which will be thread safe. It would be great to get this pushed upstream to PcapPlusPlus if it makes sense, although I don't have time to do that work in the short term. You can see the implementation at https://github.com/ns1labs/pktvisor/blob/develop/src/inputs/pcap/afpacket.cpp

Shannon

[chetan kumar]

Hello Shannon,

Thanks for that reply!

However, if each thread in a process uses a 'seperate' pcap handle, do you think it's still not thread safe?.

The way I understood is, every pcap handle makes its own shared memory with kernel to read packets from.

Do you have any links that explain that pcap is not thread safe when using 'seperate' handles?

Regards

Chetan

You received this message because you are subscribed to a topic in the Google Groups "PcapPlusPlus support" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pcapplusplus-support/cqyiiZaMCyk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pcapplusplus-sup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pcapplusplus-support/34615569-38b4-4e84-9467-91d5f4e76d0bn%40googlegroups.com.

[Shannon Weyrick]

Unfortunately I did not keep all of the links that I researched at the time, but for example https://stackoverflow.com/questions/61850088/can-multiple-threads-sniff-on-same-interface-at-same-time

I also reviewed the code a bit (which is not easy). But I concluded that many of the structures which represented e.g. interfaces were simply not written to be thread safe. 

It would be great if you found out otherwise as I would definitely like to use it from multiple threads. Please let me know what you discover.

[Shannon Weyrick]

I just reread the thread, and saw you quoted the same stackoverflow article as proof that it should work :) I guess it does come down to whether the pcap_t structures can be created multiple times on the same interface in the same process, and that they don't share any internals in that case. You mentioned you have some sample code that tries to demonstrate this, would you mind sharing?