[Bro] pcap_next Question

[Siwek, Jonathan Luke]

> Line 78 in PktSrc.cc is consistently related to issues in the
> backtraces I'm getting from bro core dumps.  I really haven't written
> much code with libpcap, so there's probably a good reason to use
> pcap_next() there.  I'm just wondering, why not use pcap_next_ex()
> there and do a bit of error checking before passing packet data along?
> The way it is right now, it looks like the code just trusts that
> pcap_next() read a packet successfully and then hands it off.

pcap_next() returns NULL if an error occurs or no packets are read from a live capture.  The call to it in PktSrc::ExtractNextPacket() that you mention does look like it checks the validity of the return value in several places and its own return value is based on it (which is also checked whenever it's called).

But I don't know why pcap_next_ex() isn't used to get information about errors so some text can be relayed to the user, maybe that function didn't exist at the time the code was written.

> 
> I think that in my case, something is going wrong with the call to
> pcap_next() -- it's returning a pointer that doesn't make any sense.
> If there was a little error checking around pcap_next() by using
> pcap_next_ex() instead, maybe that would prevent the crash I'm seeing.

Do you have a stack trace you can send?  If pcap_next() were returning a bogus pointer, I don't think you'd see the call to it in the stack, you'd be at a later point in the code where it attempted to access it and crashes.  That is, if pcap_next() is in your stack trace, something bad is probably happening within the pcap library and the caller would never have the opportunity to check the return value.

+Jon