I spent the evening fooling with libpcap. Ive found something strange on my leopard machine that is interesting because it is different from the documentation I am reading.
What is interesting is the pcap_open_live function. When I use a value of 0 for the timeout value parameter, it takes a very long time to capture packets, and I capture them all in a big burst.
eg. when running a descr = pcap_open_live(dev,1,0,0,errbuf); followed by pcap_dispatch(descr,-1,my_callback,NULL);
my program seems hung
When I change to
I capture all the packets that occur in 1 second.
It seems like the timeout value of the pcap_open_live is some sort of polling to some sort of system-level network packet buffer.
I can live with this purpose for my little experiments. However it is noted that top shows higher level of CPU usage when the "polling" value is lower.