Azamat Averbukh Azamat Averbukh - 1 year ago 102
C Question

Why does a PF_PACKET RAW socket stop missing packets after "Wireshark" was launched?

I need to receive incoming UDP packets using RAW socket, which is being opened using this code snippet:

static int fd;
char *iface;


iface = "eth0";

if ( (fd = socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_IP))) < 0 )
{
perror("socket");
}

if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, iface, strlen(iface)) < 0)
{
perror("bind");
exit(EXIT_FAILURE);
}


I send, say, 100 identical packets and try to receive and count them.
I use recv(...) to do this.
Only 93 packets are delivered, and then recv(...) hangs waiting for next ones. But if I run "Wireshark" (which uses libpcap) on the receiving side computer and make it listen on "eth0" to UDP packets, then my app will always catch 100 packets without any problems.

I can't understand what I'm actually doing wrong, and why does "Wireshark" influence my socket receiver as well?

P.S. I already tried to increase receive buffer size, but no success.

nnn nnn
Answer Source

By default, Wireshark is setting the network interface in promiscuous mode, using libpcap: https://github.com/the-tcpdump-group/libpcap/blob/735f1f9d3318693f0096be4198d34e9ac0985777/pcap-linux.c#L3528

Try adding this setsockopt call in your code, to see if it helps.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download