June 2009 | jNetPcap OpenSource

Packet Loss in pcap.loop

by shyamala | Tue, 06/30/2009 - 01:26

Hi Mark,
In our program using Jnetpcap, Some of the packets are lost while using
pcap.loop(-1, handler, "jNetPcap rocks!");

Our requirement is to capture all the packets from n/w card and write the payload to file.
The following is our code snippet

        PcapPacketHandler handler = new PcapPacketHandler() {
            public void nextPacket(PcapPacket packet, String user) {
                 pktdata = packet.getHeader(new Tcp());
                    if(pktdata != null && pktdata.getPayloadLength()>0)
                             fos.write(pktdata.getPayload());
            }
         }

We simulate 1MBps throughput and capture the packets thro jnetpcap program as well as wireshark. We found lot of packet are lost while compare to wireshark.

Kindly help us to resolve the problem and explain how loop method works(will it continue to read new arrival of packets from kernel buffer) while packethandler(nextpacket()) is processing the available packets in Jscanner.

Thanks in Advance,
Shyamala

7 comments

PcapPacket constructor

by Mark B. | Mon, 06/29/2009 - 14:37

I have added the implicit "transferTo" type copy of the packet in both PcapPacketHandler and JPacketHandler. Now both of these handlers deliver a stand-alone packet with fully copied contents. All 3 packet components header, state and data are copied into a single buffer and the java JMemory objects peered to point at their respective offsets into this memory block. Exactly the same as if done with PcapPacket.transferTo methods except its done natively.

This almost obsoletes the PcapPacket(PcapPacket) constructor. I say almost, because there may still be legitimate reasons to make an extract copy of all this information. It is however not neccessary to make a copy anymore in order to get the packet out of the temporary libpcap ring-buffer or JScanner ring-state-buffer.

I think this is the more intuitive behavior of both of these handlers and that should not only clear up many questions I receive and lots of frustrating programming errors for users learning jNetPcap library, but it also positions these 2 handlers for the enhanced memory model that will be implemented after 1.2 release. The new memory model will enhance JMemoryPool class and allow complex native structures to be peered.

Any existing implementations of these 2 handlers that perform a copy of the packets, should simply remove the code block that does the memory copies either using "transferTo" method or PcapPacket() constructors. In eclipse you can select the contructors and transferTo methods and perform "references" search which will list all the areas of the code that utilize these methods, pin pointing potential code that may need to be disabled.

If the code is not disabled, it will only result in packet data being copied twice. This is undersirable but not fatal in most cases resulting in some waist of memory and CPU, but fully functional.

Mark B.'s blog

help using PcapDumper - can't open resultant file

by wandererr | Sun, 06/28/2009 - 13:37

Hi,

So I'm using the sample code for the PcapDumper directly from the user guide. It creates a pcap dump file that opens normally in something like Wirehshark, but when I try to open it using jnetpcap API, none of the headers and so forth are recognized normally, it does things like say that Ethernet frames are Token ring frames. This was an issue present in the stable release and is still present in the latest developer build (b0003). Any ideas? Attached is the capture file generated from the PcapDumper routine.

Memory, API change and 1.2 release

by Mark B. | Fri, 06/26/2009 - 23:25

After careful review and a long design session about "Dissectors/containers" (analyzers are also part of this decision), I have made a decision that this feature can not be properly implemented using current memory model used in jNetPcap when managing natively allocated memory. This is something I will be working on, but only after 1.2.alpha is released. Therefore I am almost ready to freeze the feature set and get things ready for an official 1.2 release.

Pcap.Loop hangup

by KayJoe | Wed, 06/24/2009 - 09:34

I'm having a problem with my JNetPcap application getting hung up. I am running Eclipse under Windows XP, and using 1.2.rc4 version.

The app works fine most of the time, but then just hangs. I was able to track it down to where it works up to just before an ICMPv6 message (Wireshark description)

17 4.409616 fe80::30fa:5fc7:2ed3:694e ff02::2 ICMPv6 Router solicitation 2009-06-24 14:31:44.242222

Not sure if this message is the "poison pill" but its next in line to be processed just before it apparently hangs.

==================================
So I tried upgrading to 1.3 JNetPCap (beta version)... and it has the problem that EVERY call to hasHeader(payload) returns false...

Help with either or both of these items is most appreciated!

2 comments

Basic Help

by kabriel | Wed, 06/24/2009 - 08:11

Greetings,

I'm new here, i just started trying to use jnetpcap on monday. I've run into a bunch of problems and so far i haven't been able to get past them. i've tried to do some searches on the forums, and i've read over just about all of the userguide, however, to be honest, i find this site very difficult to understand. It is hard to find information and simple code examples/snippets, and it is hard to understand what should work, and with what version. I'm unclear what examples are supposed to only work with 1.2, 1.3 or how jnetstream relates to all of this as well. I want to find the answer myself without having to bother anyone, but alas i need to post here.

I have a tcpdump file that i want to analyze and re-create the tcp stream a user application would receive from a tcp socket. I also then want to, for each byte of that stream, find the associated packet that byte was delivered in. I want to use this to do some performance analysis.

What i've tried so far:

* I first tried to apply the Mac OS X patch from Mardy but it had issues (not sure if it was for 1.2 or 1.3, and i tried 1.3, which might have been my problem). I then tried to re-create the changes by hand, but then i had a lot of compiler errors (i think related to lack of JAVA_HOME and proper pcap headers being available, but i could not find any help/docs on how to build and what the requirements are). I gave up on this, however i would really like to see a supported OS X distribution in the future

IllegalArgumentException

by timguy | Wed, 06/24/2009 - 00:29

Hi,

I get an exception if I read to much packets from an offline file. The offline file has more than 100 000 packets. The problem is that the exception occur short before all packets are read. When I limit the dispatch to 50 000 packets the exception occur short before it's finished and if I limit it to 80 000 it also occur short before it's finished.

fr.tcp.net.ExtractResponseTimes.testTcpReassembly2(ExtractResponseTimes.java:49)
pcapOffline.dispatch(40000, controller, pcapOffline);

java.lang.IllegalArgumentException: Invalid [68,598,530) range. at org.jnetpcap.nio.JMemory.peer(JMemory.java:391) at org.jnetpcap.nio.JBuffer.peer(JBuffer.java:269) at org.jnetpcap.packet.JPacket.getHeaderByIndex(JPacket.java:687) at org.jnetpcap.packet.JPacket.hasHeader(JPacket.java:913) at org.jnetpcap.packet.JPacket.hasHeader(JPacket.java:887) at org.jnetpcap.protocol.tcpip.HttpAnalyzer.processPacket(HttpAnalyzer.java:80) at org.jnetpcap.packet.analysis.JController.processHeaders(JController.java:331) at org.jnetpcap.packet.analysis.JController.processPacket(JController.java:397) at org.jnetpcap.packet.analysis.JController.processInboundQueue(JController.java:349) at org.jnetpcap.packet.analysis.JController.nextPacket(JController.java:292) at org.jnetpcap.packet.analysis.JController.nextPacket(JController.java:122) at org.jnetpcap.Pcap.loop(Native Method) at org.jnetpcap.Pcap.loop(Pcap.java:2223) at fr.tcp.net.ExtractResponseTimes.testTcpReassembly2(ExtractResponseTimes.java:49) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.junit.internal.runners.TestMethodRunner.executeMethodBody(TestMethodRunner.java:99) at org.junit.internal.runners.TestMethodRunner.runUnprotected(TestMethodRunner.java:81)

4.3.1 - Quickscan

The most important function of the scanner is to perform a quick scan of the packet buffer and record information about what headers are found and at what location within the buffer. This information is then associated with a java packet or more specifically JPacket<code> and <code>JPacket.State classes. The first provides access to packet data buffer and the second to scanner state structures for packet. There is also a JHeader.State class which provides access to each individual's header's state. JHeader itself is peered (linked) with native memory location that is the packet buffer, but specifically at offset into the buffer that points to the start of the each header.

4.3 - Scanner Internals

JScanner class is the front end to a small library of functionality implemented native code (C/C++ language). The scanner can be invoked from both native code and from java space. For example the PcapPacketHandler.nextPacket method, before it is invoked by native libpcap dispatcher, it first invokes the scanner before transferring control to user's java handler. At the same time, a newly created packet using JMemoryPacket can invoke the scanner from java space using JMemoryPacket.scan which will invoke the default packet scanner for the currently active thread.

The scanner performs several functions:

discovery of main headers in the packet
discovery of the next header in the chain of headers using direct binding method
invokes a java bind method
invokes a java headerLength method defined in a header
dissects the contents of a header. Actually maintains 2 separate tables, one for dissecting sub-headers and the second for dissecting optional fields.

Header containers

by Mark B. | Sun, 06/21/2009 - 02:21

Just a quick update on what I'm working on right now. As described in the dev priorities thread (http://jnetpcap.com/node/309), I'm currently focusing on 1.2 work. The highest priority is redesign of header containers.

Header containers are objects that a header definition can allocate to store detailed information about the header structure such as its fields and subheaders. jNetPcap's scanner records information about the packet and where the headers start and end, but not what they look like inside. That is done by the header definition such as Ip4.class which looks at its options, flags and optional headers.

Header definition classes are free to use whatever means and mechanism to scan the header contents and record the results. Existing approach provided some container classes that also extended JHeader (the main header super class). This is not very scalable since if you have 2 different ways you need to store certain portions of the header such as some parts as a list and other parts as a tree, you would need to find a specialized container class you could subclass that would provide storage both ways or implement something completely from scratch to satisfy your requirements.

As jNetPcap's API goal is to be super friendly, it needs to provide these basic building blocks for flexible header design.

This is what I'm workin on now. I am writting several containers in 2 categories, field containers and sub-header containers. The main design work is focused on how to allow native scanners efficiently record detailed header breakdown. This would allow a low level scanner to dissect a header into fields and subheaders, record that information in native header structures where in java peered header objects would share this information instead of redissecting the header everytime a new header object is peered.