0
votes

I am writing a packet sniffer using pcap and visual studio. I've taken sample code for offline capturing and combined it with code that looks for an interface and captures packets live. This is what I have to display the packets information gotten from 1.

    while (int returnValue = pcap_next_ex(pcap, &header, &data) >= 0)
{
    // Print using printf. See printf reference:
    // http://www.cplusplus.com/reference/clibrary/cstdio/printf/

    // Show the packet number
    printf("Packet # %i\n", ++packetCount);

    // Show the size in bytes of the packet
    printf("Packet size: %d bytes\n", header->len);

    // Show a warning if the length captured is different
    if (header->len != header->caplen)
        printf("Warning! Capture size different than packet size: %ld bytes\n", header->len);

    // Show Epoch Time
    printf("Epoch Time: %d:%d seconds\n", header->ts.tv_sec, header->ts.tv_usec);

    // loop through the packet and print it as hexidecimal representations of octets
    // We also have a function that does this similarly below: PrintData()
    for (u_int i=0; (i < header->caplen ) ; i++)
    {
        // Start printing on the next after every 16 octets
        if ( (i % 16) == 0) printf("\n");

        // Print each octet as hex (x), make sure there is always two characters (.2).
        printf("%.2x ", data[i]);
    }

    // Add two lines between packets
    printf("\n\n");
}

The problem I'm having is that if I run a WireShark live capture and also run my program, both capture packets live, but WireShark will show that it's capturing packet 20 and VS will show packetCount = 200.(Note: arbitrary numbers chosen to show Wireshark hasn't captured many packets, but VS is counting extremely fast.)

From what I understand, it seems the while loop is just running much faster than the packets are coming in and so it's just printing information from the last packet it received over and over again until a new one comes in. How can I get VS to only capture packets as they come in?

2

2 Answers

1
votes

I was unaware that Visual Studio included a packet sniffer; did you mean "how can I get my application, which I'm building with Visual Studio, to only capture packets as they come in?"

If that's what you meant, then that's what your code is doing.

Unfortunately, what it's not doing is "checking whether a packet has actually come in".

To quote the man page for pcap_next_ex() (yeah, UN*X, but this applies to Windows and WinPcap as well):

   pcap_next_ex() returns 1 if the packet was read without  problems,
   0  if  packets are being read from a live capture, and the timeout
   expired, -1 if an error occurred while reading the packet, and  -2
   if  packets  are  being read from a ``savefile'', and there are no
   more packets to read  from  the  savefile.   If  -1  is  returned,
   pcap_geterr() or pcap_perror() may be called with p as an argument
   to fetch or display the error text.

Emphasis on "0 if packets are being read from a live capture, and the timeout expired"; 0 means that you did not get a packet.

Do not act as if a packet were captured if pcap_next_ex() returned 0, only do so if it returned 1:

while (int returnValue = pcap_next_ex(pcap, &header, &data) >= 0)
{
    if (returnValue == 1) {
        // Print using printf. See printf reference:
        // http://www.cplusplus.com/reference/clibrary/cstdio/printf/

        // Show the packet number
        printf("Packet # %i\n", ++packetCount);

             ...

        // Add two lines between packets
        printf("\n\n");
    }
}
0
votes

SOLUTION: So apparently, adding parentheses around the argument fixes the issue.

while ( (( int returnValue = pcap_next_ex(pcap, &header, &data) ) >= 0 ) )