libpcap drops some packets from specific IP

4
votes

I'm implementing packet collector, but I suffer from packet drops.

My binary can get most of packets from some specific IP region. (Ex. 100.101.1.1, 100.101.2.1). But to some specific IP region, I cannot get any packet. (Ex. 200.201.1.1, 200.201.2.1)

At that time, tcpdump can get packets from any IP regions.

My pcap code snippet from my implementation is followings:

struct bpf_program fp;
pcap_t *pcd;
char errbuf[PCAP_ERRBUF_SIZE];
bpf_u_int32 netp;
char port[16], dev[16];
......
pcd = pcap_open_live(dev, BUFSIZ, PROMISCUOUS, -1, errbuf);
pcap_compile(pcd, &fp, port, 0, netp);
pcap_setfilter(pcd, &fp);
while(1){
    packet = pcap_next(pcd, &hdr);
}

Is there any idea for me?

1
cpcaplibpcap
add the output of ifconfig, and the command-line you use to run tcpdump. Could it be that the IP you're looking for is not on the interface you're opening?Nitzan Shaked
What is dev? If you pass null or any instead of dev, you should be able to capture packets from all interfaces.Magn3s1um

1 Answers

0
votes

Since you mentioned that you can get all the ip packets on the interface using tcpdump, I would consider the following line in your code is all right as long as you are using the same interface name for the parameter dev as you use for tcpdump.

pcap_open_live(dev, BUFSIZ, PROMISCUOUS, -1, errbuf);

The issue might be in the line,

pcap_compile(pcd, &fp, port, 0, netp);

In the above line, port variable is a filter string. Your packet collector will only collect the packets that passes this filter. If you are not using proper filter parameters in your port string to allow also the packets involving ip addresses 200.201.x.x, you will not capture them.