pcap_stats 是否在 Ubuntu 14.04 LTS 上实现？

Question

阅读 pcap 手册页，我看到了关于 pcap_stats() 的简介：

统计数据在所有平台上的行为方式不尽相同。 ps_recv 可能会计算数据包是否通过了任何使用 pcap_setfilter(3PCAP) 设置的过滤器，或者它可能只计算通过过滤器的数据包。它还可能会或可能不会计算丢弃的数据包，因为当它们到达时操作系统的缓冲区中没有空间。 ps_drop 并非在所有平台上都可用；在不可用的平台上为零。如果包过滤是在 libpcap 中完成的，而不是在操作系统中，它会计算未通过过滤器的包。 ps_recv 和 ps_drop 可能会或可能不会计算尚未从操作系统读取的数据包，因此应用程序尚未看到。 ps_ifdrop 可能实施，也可能不实施；如果它为零，则可能意味着接口没有丢弃任何数据包，或者可能意味着统计信息不可用，因此不应将其视为接口没有丢弃任何数据包的指示。

所有这些“可能会或可能不会”子句并没有真正激发我对这个函数调用会给我带来什么有用的信心。

有谁知道 Ubuntu 14.04 LTS 是否以有意义的方式支持 pcap_stats() 调用？

Answer 1

所有这些“可能或可能不会”子句并不能真正激发我对这个函数调用会给我带来什么有用的信心。

这就是意图。 libpcap 位于许多不同的底层数据包捕获机制之上，这些机制提供统计数据的能力各不相同 - 不幸的是，pcap_stats() 在缺乏指示哪些统计数据是有效的以及指示在哪里的能力方面并没有什么不同。数据包被计算在内。

有谁知道 Ubuntu 14.04 LTS 是否以有意义的方式支持 pcap_stats() 调用？

内核版本很重要，因为它控制着 libpcap 运行的数据包捕获代码。 The 14.04.4 release will have a 4.2 kernel.

14.04 也是appears to have libpcap 1.5.3。引用 libpcap 1.5.3 中 pcap-linux.c 中的注释：

     * On systems where the PACKET_STATISTICS "getsockopt()"
     * argument is supported on PF_PACKET sockets:
     *
     *  "ps_recv" counts only packets that *passed* the
     *  filter, not packets that didn't pass the filter.
     *  This includes packets later dropped because we
     *  ran out of buffer space.
     *
     *  "ps_drop" counts packets dropped because we ran
     *  out of buffer space.  It doesn't count packets
     *  dropped by the interface driver.  It counts only
     *  packets that passed the filter.
     *
     *  See above for ps_ifdrop. 
     *
     *  Both statistics include packets not yet read from
     *  the kernel by libpcap, and thus not yet seen by
     *  the application.
     *
     * In "linux/net/packet/af_packet.c", at least in the
     * 2.4.9 kernel, "tp_packets" is incremented for every
     * packet that passes the packet filter *and* is
     * successfully queued on the socket; "tp_drops" is
     * incremented for every packet dropped because there's
     * not enough free space in the socket buffer.
     *
     * When the statistics are returned for a PACKET_STATISTICS
     * "getsockopt()" call, "tp_drops" is added to "tp_packets",
     * so that "tp_packets" counts all packets handed to
     * the PF_PACKET socket, including packets dropped because
     * there wasn't room on the socket buffer - but not
     * including packets that didn't pass the filter.
     *
     * In the BSD BPF, the count of received packets is
     * incremented for every packet handed to BPF, regardless
     * of whether it passed the filter.
     *
     * We can't make "pcap_stats()" work the same on both
     * platforms, but the best approximation is to return
     * "tp_packets" as the count of packets and "tp_drops"
     * as the count of drops.