Thread: pcap "packet" processing and storage

The pcap loop callback routine that the libcap library uses each time it captures a packet returns a pointer to a packet that it has captured. I am a little confused as to the time period for which this "packet" memory is allocated. If I am performing calculations or even storage with each packet that pcap captures, will this memory location be overwritten while I am performing my tasks on the current packet location. It seems as though if I take too long in analyzing each packet that the data for the packet becomes corrupted or overwritten with the next packet received or I miss packets all together. Does pcap have any type of packet queuing system or is the programmer responsible for performing a memcpy on the packets returned and queuing them as soon as they are received in the callback? I am assuming under heavy network throughput the problem I am explaining above will only get worse as pcap has greater flow of packets to capture. How is pcap supposed to keep up with the large number of packets? or how am I supposed to keep up with the large number of packets received and still analyze each packet?

Unless libpcap is multithreaded, I don't see how this is possible. By doing too much processing in the callback, you could potentially end up dropping packets due to the raw socket queue getting filled, but I don't think you could see data corruption in memory. I think you're probably causing that yourself somewhere.

At any rate, just restructuring your code isn't going to solve the issue of not being able to keep up with packets. No matter how you do things, if the CPU isn't able to keep up with the raw packet flow, you're stuck.

I'll just implement my own queue to store packets from the callback.