Author Topic: pcap / packet sniffing question  (Read 5732 times)

0 Members and 2 Guests are viewing this topic.

Offline Ender

  • x86
  • Hero Member
  • *****
  • Posts: 2390
    • View Profile
pcap / packet sniffing question
« on: December 01, 2010, 02:50:45 am »
So I am writing a packet sniffer using pcap.h and I thought I'd pose a question here that is confusing me.

I have a very simple C program that captures packets from my network device in an infinite loop. But for some reason, it only picks up on packets when I create a new TCP connection. So when I open a browser and go to a URL, do a wget, or start up my IRC client it picks up on a bunch of packets.

However, if I already have my IRC client running, it won't pick up on the text messages exchanged on the IRC server. Furthermore, it won't pick up on any packets when I ping a website.

Does anyone know why this is? My guess is that the network programs I am using (such as X-Chat for IRC or ping on unix) are removing the packets from the packet queue as they process them, so there is nothing to pick up.

Do you think my hunch is correct?

Offline while1

  • x86
  • Hero Member
  • *****
  • Posts: 1013
    • View Profile
Re: pcap / packet sniffing question
« Reply #1 on: December 01, 2010, 08:40:18 pm »
My hunch is that your hunch is incorrect.

But without low level details or code, it's hard to tell otherwise.
I tend to edit my topics and replies frequently.

http://www.operationsmile.org

Offline Ender

  • x86
  • Hero Member
  • *****
  • Posts: 2390
    • View Profile
Re: pcap / packet sniffing question
« Reply #2 on: December 01, 2010, 08:52:48 pm »
Yeah my hunch was wrong.

Fixed it. It had everything to do with the TIMEOUT value. I set it to -1 and that messed things up. When I set it to 1000 I basically see new packet(s) displayed on STDOUT every second. If I set it to 10000 I see packets displayed every ten seconds. If I set it to 10 or 500, I don't see packets displayed...

Funny how important this one value is.

Offline while1

  • x86
  • Hero Member
  • *****
  • Posts: 1013
    • View Profile
Re: pcap / packet sniffing question
« Reply #3 on: December 02, 2010, 09:54:09 pm »
Yeah, I had a feeling it was a misunderstanding of or the way you were using the API... your hunch seemed too out there.  With most networking APIs, timeout parameters almost always need to be tweaked in my experience.
I tend to edit my topics and replies frequently.

http://www.operationsmile.org

Offline Ender

  • x86
  • Hero Member
  • *****
  • Posts: 2390
    • View Profile
Re: pcap / packet sniffing question
« Reply #4 on: December 02, 2010, 11:10:17 pm »
That's interesting. I never thought timeout values were all that important.