0
我的分叉代理为每个传入连接重复:每个子进程启动一个分离的线程,该分离的线程使用pcap会话记录该连接的数据包。看着我的日志文件,我发现属于同一连接的两个捕获的数据包之间的延迟为0秒。为什么我的libpcap会话中两个捕获的数据包之间有0秒的延迟?
我不知道这是否是因为我的错误,或者我在pcap库中丢失了某些东西,但对我来说这是一个严重的错误:延迟用于计算每秒的数据包,并使用公式1000000/delay(延迟以微秒为单位)。
这是我应该担心的事情吗?或者pcap_pkthdr没有提供足够的精度?我对接收数据包的速度并不熟悉(代理服务器正在我的笔记本电脑上运行,我正在使用我的适中家庭网络,下载速度为5 Mbps)。
这只发生在下载数据包的同时(当我收到Debian ISO或观看YouTube视频时),它在接近80000个捕获的数据包中发生10次。如果timeval在pcap_pkthdr将使用nanoseconds,0延迟会消失吗?
总之,这里的每一个记录线程执行代码:
int res;
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *handle;
struct bpf_program fp;
bpf_u_int32 net = PCAP_NETMASK_UNKNOWN;
struct pcap_pkthdr *header;
const u_char *pkt_data;
struct timeval oldTimeUploadStruct;
struct timeval oldTimeDownloadStruct;
const char *filter_exp = // big filter of mine
handle = pcap_open_live("wlan0", 65535, 0, 1000, errbuf);
if (handle == NULL) {
fprintf(stderr, "Couldn't open device wlan0: %s\n", errbuf);
return;
}
// Compile and apply the filter
if (pcap_compile(handle, &fp, filter_exp, 0, net) == -1) {
fprintf(stderr, "Couldn't parse filter %s: %s\n", filter_exp, pcap_geterr(handle));
pcap_close(handle);
return;
}
if (pcap_setfilter(handle, &fp) == -1) {
fprintf(stderr, "Couldn't install filter %s: %s\n", filter_exp, pcap_geterr(handle));
pcap_close(handle);
return;
}
gettimeofday(&oldTimeUploadStruct, NULL);
gettimeofday(&oldTimeDownloadStruct, NULL);
long long oldTimeUpload = (oldTimeUploadStruct.tv_sec * 1000000) + oldTimeUploadStruct.tv_usec;
long long oldTimeDownload = (oldTimeDownloadStruct.tv_sec * 1000000) + oldTimeDownloadStruct.tv_usec;
// stopLogging is a flag set to false from child process before detaching this thread;
// when connection is over, the flag is set to true and this loop breaks
while ((res = pcap_next_ex(handle, &header, &pkt_data)) && (stopLogging == false)) {
// 0 if the timeout set with pcap_open_live() has elapsed.
// In this case pkt_header and pkt_data don't point to a valid packet
if (res == 0) {
continue;
}
if (packet is in upload) {
long long timestamp = (header->ts.tv_sec * 1000000) + header->ts.tv_usec;
long long delay = timestamp - oldTimeUpload;
std::stringstream mylogstream;
// creating string to log: I omitted some variables
// like IP addresses and ports for brevity
mylogstream << host << " UPLOAD " << timestamp << ' ' << header->caplen << ' ' << delay;
// logging captured packet
std::string mylog = mylogstream.str();
fs << mylog;
oldTimeUpload = timestamp;
}
else if (packet is in download) {
long long timestamp = (header->ts.tv_sec * 1000000) + header->ts.tv_usec;
long long delay = timestamp - oldTimeDownload;
std::stringstream mylogstream;
mylogstream << host << " DOWNLOAD " << timestamp << ' ' << header->caplen << ' ' << delay;
// logging captured packet
std::string mylog = mylogstream.str();
fs << mylog;
oldTimeDownload = timestamp;
}
}
if(res == -1)
printf("Error reading the packets: %s\n", pcap_geterr(handle));
debugGreen("Quit logging connection towards " << hostName);
pcap_close(handle);
您是否检查过包内容? –
另外,它可能发生在pcap上的一个帧被分成几部分。 (检查标题 - > caplen!=标题 - > len) –
两件事。 1)你可以平均几个数据包的延迟。 2)可能是由于数据包聚合,他们同时到达 – Jonas