This project is read-only.

Capturing, Processing and Resendig Packets

Aug 6, 2011 at 8:54 PM

Hi Boaz,

Hello to everyone and thank you for your great efforts. i have only 1 question wich is the best metod to recive process and resend packets in performance matters the ReceivePacket, RecivePackets or ReceiveSomePackets, i want to put the incoming packets in a queuqe then process them and finally send them back im using diferent synchronized threads to acces the qeuque but i dont know wich method would be the most efficient,


Aug 12, 2011 at 7:01 AM

Hi Adum_264,


ReceivePacket() is the easiest method to use and you should probably start there.

It seems to me that ReceivePackets() might be appropriate since you can simply call it and ask that every received packet would be handle by some method.


ReceivePacket() uses pcap_next_ex() 

ReceivePackets() uses pcap_loop()

ReceiveSomePackets() uses pcap_dispatch()


Short Googling gave me this

"How does using pcap_next_ex() compare with pcap_loop() - performance-wise?"
"There is no performance penalty, we have used pcap_next_ex at multigigabit 


Also take a look here:


I hope this helps,



Aug 12, 2011 at 5:55 PM

Hi Boaz, thanks for clarifing me that, well now my man-in-the-middle app is almost done but something strange is going on, and i cant figure out what's wrong , see :


when the victim ping to the gateway ( ) the packet comes to me because the victim( is arp poisoned ,  so i change the ehernet and ip layer of the packet and i send it again to the real gateway , then thee gateway send the reply to me, and i send it back to the victim , everithing works fine! , but when i send a ping to an external server ( first the victim needs to resolve the ip , so it send a dns request, and as you can see my app do the same thing but i never get a reply and i dont know why ! , i hope you cant tell me what is wrong  = (

Aug 12, 2011 at 9:42 PM

Try and make the victim ping and see what is going on.

Aug 13, 2011 at 4:19 AM

i did it :

= (

Aug 13, 2011 at 8:57 AM

So you do get replied for pings but don't get replies for DNS?

And without ARP poisoning you get replies for both?

Aug 13, 2011 at 4:51 PM
brickner wrote:

So you do get replied for pings but don't get replies for DNS?


And without ARP poisoning you get replies for both?


and also i realized that when mi program is running mi system gets poisoned too so i have, -> myownmac,  but i dont know because my program send packets to the victim , not to me

Aug 13, 2011 at 5:41 PM

If you use the same default gateway -, and you're also poisoned that's explains why the packets are not reaching their destination and why you own't get responses.

It doesn't explain why you get responses for pings and no responses for DNS.


If I understand correctly, Apple_b0:d8:cb is the victim. IntelCor_09:d5:d0 is the man in the middle. 2wire_0b:98:01 is the gateway. Right?


I would try to use different DNS servers and see if they might work, it is weird to get responses for pings and no responses for DNS requests.

Aug 13, 2011 at 9:02 PM
Edited Aug 13, 2011 at 11:51 PM

i cheked the isvalid() property of my packets before send them  to the gateway, with icmp packets all are valid , but with dns packets i got unvalid packets :

paa is the dns packet just before send it to the gateway , but i just changed the source , destination and (HeaderChecksum to null) properties in the ipv4layer just that... that transportchecksumcorrect what do i

need to change in order to get a valid packet.


look here :

p is the incoming packet and p2 is the modified packet and the watch mark p2 as invalid because of the transportchecksumcorrect of the ipv4 datagram property

Aug 17, 2011 at 9:41 PM

never mind i figured out, the udp packet checksum was wrong -_- so i set it to null ,


but  1 more question why when i call communicator.break(); never returns, or at least take like 10 seconds

Aug 19, 2011 at 6:27 AM

I'm not sure why doesn't it break.

Have you read the full documentation of Break() ?