Where are locally tranmitted packets?

Sep 30, 2012 at 4:59 AM

When I perform a live capture i only get packets which are received on my selected interface.  I never see any packet that the host has sent on that interface.  For example, I do a ping:

C:\Users\ABC>ping www.google.com -n 1

Pinging www.google.com [74.125.224.81] with 32 bytes of data:
Reply from 74.125.224.81: bytes=32 time=16ms TTL=54

Ping statistics for 74.125.224.81:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 16ms, Maximum = 16ms, Average = 16ms

On my currently running wireshark i see bot the ICMP request, and ICMP reply.  However, in my code with pcap.net i only see the ICMP reply.  I never see any host transmitted packets.  Since Wireshark can see this traffic winpcap must be working ok.   I set Promiscous and do not set NoLocalCapture, so i figure i should see this traffic. 

private void captureLiveWorker_DoWork(object sender, DoWorkEventArgs e)
{
    // Retrieve the device list from the local machine
    IList<LivePacketDevice> allDevices = LivePacketDevice.AllLocalMachine;
    int device_id = (int)e.Argument;

    // Take the selected adapter
    PacketDevice selectedDevice = allDevices[device_id];

    using (PacketCommunicator communicator =
      selectedDevice.Open(2000,
      PacketDeviceOpenAttributes.Promiscuous,
      1000))
    {
 BerkeleyPacketFilter filter = communicator.CreateFilter("icmp");

 // start the capture
 communicator.SetFilter(filter);
 Packet packet;

 while (!captureLiveWorker.CancellationPending)
 {
     PacketCommunicatorReceiveResult result = communicator.ReceivePacket(out packet);

     switch (result)
     {
  case PacketCommunicatorReceiveResult.Timeout:
      continue;
  case PacketCommunicatorReceiveResult.Ok:
      if (packet.IsValid)
      {
   PacketHandler(packet);
      }
      break;
     }
 }

    }
}

Coordinator
Oct 5, 2012 at 10:43 AM

You should get the same packets.

Make sure you use the same parameters you use in Wireshark when calling Open() on the device.

I'm not sure whether the (!captureLiveWorker.CancellationPending) has any affect on it so you can just try and handle all packets.

Also, maybe some packets are recognized as invalid in Pcap.Net, so make sure they're not dropped there.

 

Boaz.