Wireshark · Ethereal-dev: Re: [Ethereal-dev] Too many pcap_open_live calls during capture loop

[Ulf Lamping <ulf.lamping@xxxxxx>]

Jacques, Olivier (OCBU-Test Infra) wrote:
> Hello,
>
> On the latest SVN build (I don't know when it appeared...), on my win XP
> SP2 laptop/winpcap 3.1, there are many pcap_open_live calls during
> capture.
>   
I'm using latest SVN on XP SP2 laptop, too ...
> I added some traces in winpcap to try to track this down (in the traces,
> pist_ is a trace in wpcap which corresponds to pcap_... But for the pist
> interface. A pist_open_live will be called every time a pcap_open_live
> is called):
>
> When I open the "Show Capture Options Dialog" in Ethereal:
> pist_open_live
> pist_create_trace_device
> pist_platform_close
> pist_platform_close: p = '2181b30'
> pist_delete_trace_device
> delete_pcap_pist
> delete_pcap_pist: p = '2181b30'
> pist_open_live
> pist_open_live: p='2181b30'
> new_pcap_pist: p='2181b30'
> pist_create_trace_device
> pist_platform_close
> pist_platform_close: p = '2181b30'
> pist_delete_trace_device
> delete_pcap_pist
> delete_pcap_pist: p = '2181b30'
>
> -> 2 open/close. This looks correct.
>   
I cannot reproduce this, Ethereal is calling this only once.

(Breakpoint in capture_wpcap.c line 244 is called only once)
> Selecting the pist interface in the "show capture options" dialog:
> pist_open_live
> pist_open_live: p='2181b30'
> new_pcap_pist: p='2181b30'
> pist_create_trace_device
> pist_platform_close
> pist_platform_close: p = '2181b30'
> pist_delete_trace_device
> delete_pcap_pist
> delete_pcap_pist: p = '2181b30'
> pist_open_live
> pist_open_live: p='2181b30'
> new_pcap_pist: p='2181b30'
> pist_create_trace_device
> pist_platform_close
> pist_platform_close: p = '2181b30'
> pist_delete_trace_device
> delete_pcap_pist
> delete_pcap_pist: p = '2181b30'
>
> -> 2 open/close. This looks correct too.
>   
Same as above.
> Starting the capture:
> pist_open_live
> pist_open_live: p='2181c50'
> new_pcap_pist: p='2181c50'
> pist_create_trace_device
> pist_open_live
> pist_open_live: p='21814d0'
> new_pcap_pist: p='21814d0'
> pist_create_trace_device
> pist_open_live
> pist_open_live: p='21810c0'
> new_pcap_pist: p='21810c0'
> pist_create_trace_device
> pist_open_live
> pist_open_live: p='2182c80'
> new_pcap_pist: p='2182c80'
> pist_create_trace_device
> pist_open_live
> pist_open_live: p='2182900'
> new_pcap_pist: p='2182900'
> pist_create_trace_device
> ...
>
> And the trace goes on until I stop the capture.
>   
Looks odd.
> Why is there so many pcap_open_live when capturing? Should we only have
> one and use the handler created at this occasion?
>   
That's how it's implemented for the capturing code ...

Note that it's not really possible to (re-)use the handle from the 
dialogs, as this is a completely different point in the sources.
> Also, when stopping the capture, the close_op (which points in my case
> to "pist_platform_close") is not called at the end of the capture. I
> think this is another resource leakage.
>   
That would be the case, although the capture code looks alright.
> I tried to look at the capture loop code in Ethereal, but this goes
> beyond my knowledge, so I was unable to propose a patch :)
>   
I have real doubts that this is caused by Ethereal. I've had a look at 
the capture_loop.c code and it looks alright (should do one open and one 
close call).

Probably some internal calls inside WinPcap?!?

At which interval does these open calls rush in?

Regards, ULFL