Hi Billy.
> -----Original Message-----
> From: Loftus, Billy [mailto:[EMAIL PROTECTED]
> Sent: gioved� 3 luglio 2003 10.36
> To: Fulvio Risso
> Subject: RE: [WinPcap-users] Working with remote capturing interface
>
>
> Hi Fulvio,
>
> Thanks for all the help. I am able to do remote capturing now. I
> have two NT4.0 PCs networked together. I am having one issue
> though. When I start the remote capture, I receive a continuous
> stream of TCP traffic. The traffic is in the form of two packets
> (60 and 270 bytes).
Probably it's a packet carrying a captured packet (270 bytes), followed by
an ack.
> I have the filter set to "tcp". If I set the
> filter to "icmp" then the traffic stops and waits for a ICMP
> packet as expected. I downloaded Analyzer 3.0 alpha and connected
> to the same remote host and started a capture on the remote host
> with "tcp" filter set. I found that there were only a few TCP
> packets being received every minutes or so.
There's only a way to see what happen: you have to open a WinDump /
something on the remote machine (locally), and capture traffic in there.
Then, you can compare the traffic and see if your applications are going to
capture the same thing.
> So my question is
> why is my code receiving a continuous flow of TCP traffic ??. I
This is probably correct, because remote capture data is returned back by
means of a TCP connection.
So, your're capturing the traffic generated by the remote probe :-))
We're using the remote capture on a duial-homing host. The first interface
is used for management (and it generates the traffic back), the second is on
the network we want to monitor.
In this case, you're capturing only the "real" traffic.
Cheers,
fulvio
> have included the code that I am using.
>
> #include "pcap.h"
> #define LINE_LEN 16
>
> main()
> {
> pcap_if_t *alldevs;
> pcap_if_t *d;
> pcap_t *fp;
> u_char *pkt_data;
>
> int inum;
> int i=0;
> int res;
> struct pcap_pkthdr *header;
>
> u_int netmask;
> char packet_filter[] = "tcp";
> struct bpf_program fcode;
>
>
> char errbuf[PCAP_ERRBUF_SIZE];
>
>
> /* Retrieve the device list from the remote machine */
> if (pcap_findalldevs_ex("rpcap://10.0.0.2/2002", NULL,
> &alldevs, errbuf) == -1)
> {
> fprintf(stderr,"Error in pcap_findalldevs_ex: %s\n", errbuf);
> exit(1);
> }
>
> /* Retrieve the device list from the local machine */
> //if (pcap_findalldevs_ex("rpcap://10.0.0.1", NULL, &alldevs,
> errbuf) == -1)
> //{
> // fprintf(stderr,"Error in pcap_findalldevs_ex: %s\n", errbuf);
> // exit(1);
> //}
>
> /* Print the list */
> for(d=alldevs; d; d=d->next)
> {
> printf("%d. %s", ++i, d->name);
> if (d->description)
> printf(" (%s)\n", d->description);
> else
> printf(" (No description available)\n");
> }
>
> if(i==0)
> {
> printf("\nNo interfaces found! Make sure WinPcap is
> installed.\n");
> return -1;
> }
>
> printf("Enter the interface number (1-%d):",i);
> scanf("%d", &inum);
>
> if(inum < 1 || inum > i)
> {
> printf("\nInterface number out of range.\n");
> /* Free the device list */
> pcap_freealldevs(alldevs);
> return -1;
> }
>
> /* Jump to the selected adapter */
> for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);
>
>
> /* Open the device */
> if ( (fp= pcap_open(d->name,
> 100 /*snaplen*/,
> PCAP_OPENFLAG_PROMISCUOUS /*flags*/,
> 20 /*read timeout*/,
> NULL /* remote authentication */,
> errbuf)
> ) == NULL)
> {
> fprintf(stderr,"\nError opening adapter\n");
> return -1;
> }
>
>
> //**********************************************************
>
> if(d->addresses != NULL)
> /* Retrieve the mask of the first address of the interface */
> netmask=((struct sockaddr_in
> *)(d->addresses->netmask))->sin_addr.S_un.S_addr;
> else
> /* If the interface is without addresses we suppose to be
> in a C class network */
> netmask=0xffffff;
>
>
> //compile the filter
> if(pcap_compile(fp, &fcode, packet_filter, 1, netmask) <0 ){
> fprintf(stderr,"\nUnable to compile the packet filter.
> Check the syntax.\n");
> /* Free the device list */
> pcap_freealldevs(alldevs);
> return -1;
> }
>
> //set the filter
> if(pcap_setfilter(fp, &fcode)<0){
> fprintf(stderr,"\nError setting the filter.\n");
> /* Free the device list */
> pcap_freealldevs(alldevs);
> return -1;
> }
>
> //***********************************************************
>
>
>
>
> printf("\nlistening on %s...\n", d->description);
>
> /* Read the packets */
> /* pcap_next_ex fills the pkt_header and pkt_data
> parameters (see pcap_handler())
> with the pointers to the header and to the data of the
> next captured packet.
> return value can be: 1 if the packet has been read
> without problems */
>
> while((res = pcap_next_ex( fp, &header, &pkt_data)) >= 0)
> {
>
> if(res == 0)
> /* Timeout elapsed */
> continue;
>
> /* print pkt timestamp and pkt len */
> printf("%ld:%ld (%ld)\n", header->ts.tv_sec,
> header->ts.tv_usec, header->len);
>
> /* Print the packet */
> for (i=1; (i < header->caplen + 1 ) ; i++)
> {
> printf("%.2x ", pkt_data[i-1]);
> if ( (i % LINE_LEN) == 0) printf("\n");
> }
>
> printf("\n\n");
> }
>
> if(res == -1)
> {
> printf("Error reading the packets: %s\n", pcap_geterr(fp));
> return -1;
> }
>
> return 0;
> }
>
>
================================================================= This is the WinPcap
users list. It is archived at
http://www.mail-archive.com/[EMAIL PROTECTED]/
To unsubscribe use
mailto: [EMAIL PROTECTED]
=================================================================
