Clan x86
Technical (Development, Security, etc.) => General Programming => Topic started by: Ender on December 01, 2010, 02:50:45 am
-
So I am writing a packet sniffer using pcap.h and I thought I'd pose a question here that is confusing me.
I have a very simple C program that captures packets from my network device in an infinite loop. But for some reason, it only picks up on packets when I create a new TCP connection. So when I open a browser and go to a URL, do a wget, or start up my IRC client it picks up on a bunch of packets.
However, if I already have my IRC client running, it won't pick up on the text messages exchanged on the IRC server. Furthermore, it won't pick up on any packets when I ping a website.
Does anyone know why this is? My guess is that the network programs I am using (such as X-Chat for IRC or ping on unix) are removing the packets from the packet queue as they process them, so there is nothing to pick up.
Do you think my hunch is correct?
-
My hunch is that your hunch is incorrect.
But without low level details or code, it's hard to tell otherwise.
-
Yeah my hunch was wrong.
Fixed it. It had everything to do with the TIMEOUT value. I set it to -1 and that messed things up. When I set it to 1000 I basically see new packet(s) displayed on STDOUT every second. If I set it to 10000 I see packets displayed every ten seconds. If I set it to 10 or 500, I don't see packets displayed...
Funny how important this one value is.
-
Yeah, I had a feeling it was a misunderstanding of or the way you were using the API... your hunch seemed too out there. With most networking APIs, timeout parameters almost always need to be tweaked in my experience.
-
That's interesting. I never thought timeout values were all that important.