News:

Help! We're trapped in the computer, and the computer is trapped in 2008! Someone call the time police!

Main Menu

pcap / packet sniffing question

Started by Ender, December 01, 2010, 02:50:45 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Ender

So I am writing a packet sniffer using pcap.h and I thought I'd pose a question here that is confusing me.

I have a very simple C program that captures packets from my network device in an infinite loop. But for some reason, it only picks up on packets when I create a new TCP connection. So when I open a browser and go to a URL, do a wget, or start up my IRC client it picks up on a bunch of packets.

However, if I already have my IRC client running, it won't pick up on the text messages exchanged on the IRC server. Furthermore, it won't pick up on any packets when I ping a website.

Does anyone know why this is? My guess is that the network programs I am using (such as X-Chat for IRC or ping on unix) are removing the packets from the packet queue as they process them, so there is nothing to pick up.

Do you think my hunch is correct?

while1

My hunch is that your hunch is incorrect.

But without low level details or code, it's hard to tell otherwise.
I tend to edit my topics and replies frequently.

http://www.operationsmile.org

Ender

Yeah my hunch was wrong.

Fixed it. It had everything to do with the TIMEOUT value. I set it to -1 and that messed things up. When I set it to 1000 I basically see new packet(s) displayed on STDOUT every second. If I set it to 10000 I see packets displayed every ten seconds. If I set it to 10 or 500, I don't see packets displayed...

Funny how important this one value is.

while1

Yeah, I had a feeling it was a misunderstanding of or the way you were using the API... your hunch seemed too out there.  With most networking APIs, timeout parameters almost always need to be tweaked in my experience.
I tend to edit my topics and replies frequently.

http://www.operationsmile.org

Ender

That's interesting. I never thought timeout values were all that important.