2
votes

I'm currently writing a packet capture program using the infamous pcap library, based on Arch Linux Arm and programmed in C, I have hit a brick wall.

The device will sit in a SPAN ethernet port and should collect all the data passing through the switch, where it will be saved to a file and be opened offline with wireshark for analysis.

The program will compile and execute error free; however the statistics only return that it's captured between 1 and 6 packets every time. I've set the count to 20 for test purposes and I'm pinging the device to generate traffic.

The logic of the program (as not to dump my entire code) goes as such:

pcap_open_live()  //find device
pcap_lookupnet()  //get IP and net mask
pcap_dump_open()  //open savefile
pcap_dispatch()   //capture packets & call &pcap_dump
pcap_stats()      //output capture stats to screen
pcap_dump_close() //close file
pcap_close()      //close device & free memory

The code specifies promiscous mode, the device has an IP via DHCP when ifconfig'd, I have not used a bpf filter i.e.: pcap_compile() pcap_setfilter() as part of pcap_dispatch(). when I did use it the results were between 4 and 6 packets. I've read through the man pages, many a website and forum, I just cannot see it.

Should you need any additional information/code, please ask. If anyone can point me in the right direction I would be much obliged and I will post my results for the community :)

Thank you for your time.

Guys you were spot on, thank you.

I changed from pcap_dispatch() to pcap_loop() and its capturing the target 20 packets. Perfect. So in summation, the code logic is as follows.

pcap_open_live() //find device
pcap_lookupnet()  //get IP and net mask
pcap_dump_open()  //open savefile
pcap_loop()       //capture packets & call &pcap_dump
pcap_stats()      //output capture stats to screen
pcap_dump_close() //close file
pcap_close()      //close device & free memory

When the project is submitted, I'll post my complete code as a favour to the community.

Thank you again.

1
Can we see more of the code?Magn3s1um
Specifically open and dispatch and statsScotty Bauer

1 Answers

1
votes

From the man page:

pcap_dispatch() processes packets from a live capture or ''savefile'' until cnt packets are processed, the end of the current bufferful of packets is reached when doing a live capture, the end of the ''savefile'' is reached when reading from a ''savefile'

Then for

pcap_loop() processes packets from a live capture or ''savefile'' until cnt packets are processed, the end of the ''savefile'' is reached when reading from a ''savefile'

My hunch is the packet buffer is only holding up to 6 packets at a time and when you dispatch you're exhausting the buffer and it's returning. Try using pcap_loop() and see if your problem is fixed.