This project is read-only.

Where are locally tranmitted packets?

Sep 30, 2012 at 5:59 AM

When I perform a live capture i only get packets which are received on my selected interface.  I never see any packet that the host has sent on that interface.  For example, I do a ping:

C:\Users\ABC>ping -n 1

Pinging [] with 32 bytes of data:
Reply from bytes=32 time=16ms TTL=54

Ping statistics for
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 16ms, Maximum = 16ms, Average = 16ms

On my currently running wireshark i see bot the ICMP request, and ICMP reply.  However, in my code with i only see the ICMP reply.  I never see any host transmitted packets.  Since Wireshark can see this traffic winpcap must be working ok.   I set Promiscous and do not set NoLocalCapture, so i figure i should see this traffic. 

private void captureLiveWorker_DoWork(object sender, DoWorkEventArgs e)
    // Retrieve the device list from the local machine
    IList<LivePacketDevice> allDevices = LivePacketDevice.AllLocalMachine;
    int device_id = (int)e.Argument;

    // Take the selected adapter
    PacketDevice selectedDevice = allDevices[device_id];

    using (PacketCommunicator communicator =
 BerkeleyPacketFilter filter = communicator.CreateFilter("icmp");

 // start the capture
 Packet packet;

 while (!captureLiveWorker.CancellationPending)
     PacketCommunicatorReceiveResult result = communicator.ReceivePacket(out packet);

     switch (result)
  case PacketCommunicatorReceiveResult.Timeout:
  case PacketCommunicatorReceiveResult.Ok:
      if (packet.IsValid)


Oct 5, 2012 at 11:43 AM

You should get the same packets.

Make sure you use the same parameters you use in Wireshark when calling Open() on the device.

I'm not sure whether the (!captureLiveWorker.CancellationPending) has any affect on it so you can just try and handle all packets.

Also, maybe some packets are recognized as invalid in Pcap.Net, so make sure they're not dropped there.