VC++ Winpcap library - not getting any packets, Win7

lunanat
lunanat used Ask the Experts™
on
So, I'm writing an application that will sit on my network (a span port on one of my core switches, actually) and monitor the traffic going across the fabric... specifically, I am looking to generate assoications between applications.  Which servers talk to which other servers, etc.

Will be very informative and interesting.

The first step is of course to drop the NIC into promiscuous mode, and read the packets.

I've got the pcap.h file, and the libraries working... I can access the functions within the library, and I can both list and open adapters.  However, following the documented examples provided, I'm not getting any packets dumped out.

 
//open the adapter
	adapterhandle=pcap_open(adapter->name,65536,PCAP_OPENFLAG_PROMISCUOUS,1000,NULL,errorBuffer);
	if (adapterhandle==NULL){
		cout<<"Unable to open adapter "<<adapter->name<<"\n";
		pcap_freealldevs(allAdapters);
		return;
	}
	cout<<"Capture process started on adapter "<<adapter->name<<"\n";

	//recieve packets, this part does not work.
	while ((retValue=pcap_next_ex(adapterhandle,&packetHeader,&packetData))>=0){
		if (retValue==0)
			continue;
		cout<<"Packet Length: "<<packetHeader->len<<"Received at :"<<packetHeader->ts.tv_sec<<"\n\n";
	}
	//clean up
	pcap_freealldevs(allAdapters);
	cout<<"Finished\n\n";

Open in new window


Basically, my screen just sits blank and empty... I did generate traffic by browsing webpages (though there's a lot of background traffic that it should pick up anyways, ARP if nothing else) while the app was open and running.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
jkr
Top Expert 2012

Commented:
HAve you tried 'pcap_open_live()' instead of 'pcap_open()'? Also, see http://www.lovemytool.com/blog/2009/08/joke_snelders4.html ("Wireshark & Windows 7") about issues with Win7.

Author

Commented:
Fast reply!

I've read through that link, yes... all steps were followed, and applications such as Wireshark and Cain will read promiscuous packets without issue.

I gave the open_live method a try, however the same result.
Commented:
Son of a....

I figured out what it was.  I was opening the adapter... just not the right adapter.  My loop to go through the linked list of adapters was stopping one short.

<--- Just chalk it up to me being blind.

Author

Commented:
Feeling kinda silly, should have read my own debug text a lot closer.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial