Number of simultaneous pcap_open calls per interface

Hello all,

Can anyone explain the number of, and reasoning behind, multiple
pcap_open calls to the same interface ? Is one used for each type of
analyzer ?

While experimenting with certain hardware I noticed a continuous stream
of errors due to exclusive usage limitations of the capture card.

(And if it's not too confusing I'd be interested to hear if and how the
Zero-copy buffer mode detailed in bpf(4) on FreeBSD might be utilized
within Bro).

Regards,

--Jason

Can anyone explain the number of, and reasoning behind, multiple
pcap_open calls to the same interface ? Is one used for each type of
analyzer ?

You should see at most two calls. One is for the main Bro processing,
and the second, if present, is for the "secondary filter". Unless you
went out of your way to instantiate the latter, it should only be active
if you did @load large-conns or @load secondary-filter . (You'll also
get this if you @load all , which is only meant for testing.)

If you're not doing that, then it's worth breakpointing the pcap_open
calls and sending along tracebacks from each of them.

    Vern