pcap only picking up on new connections_问答_开发者

开发者 https://www.devze.com 2023-01-28 02:37 出处：网络

I wrote a very simple C program to do a packet capture using pcap. Thing is, it only picks up on a small subset of my network activity. (I think the pattern is that it only picks up on new TCP connect

For instance, it picks up on a bunch of packets when I do a GET request with a browser or with wget, or when I start up my X-Chat IRC client and connect.

However, when I leave my IRC client running it doesn't pick up on the 开发者_JS百科packets corresponding to text messages. Similarly, it doesn't pick up on ARP broadcasts on my home network, or ping packets when I ping a website.

I am wondering why it is only picking up on this small subset of the packets I am sending/receiving. Here is my code. I am grateful for any feedback.

Code: http://pastebin.com/QDHRy6jM

What's probably happening is that you're running on a platform where the timeout behaves the way it does with BPF (*BSD, OS X), Solaris, or Windows with WInPcap, wherein the underlying packet capture mechanism that pcap is using does not deliver packets immediately, but buffers up a batch of packets and delivers them to pcap either when the buffer fills up or when the timeout expires, and -1 is either being interpreted as "no timeout" or "a very long timeout".

In that case, if enough packets arrive to fill up the buffer, as might be the case if you do an HTTP get and a sufficiently large reply comes back, or if the IRC session involves a lot of packets to connect, the packets will show up, but if only occasional packets arrive, such as ARP packets on a mostly quiet network, the packets will remain in the buffer until either enough packets arrive to fill up the buffer, which could take an indefinitely long time, or the very long timeout expires, which could take quite a while.

Lowering the timeout (tcpdump uses 1000, i.e. 1 second, and Wireshark uses 100, i.e. 1/10 second) means that packets will show up within a reasonably short period of time, even if not enough packets arrive to fill up the buffer.

Fixed it. When I change my TIMEOUT value from -1 to something else it works (ie it picks up on all network activity). Don't really know what's going on there (haven't thought about it much yet) so if someone does please holla.