Azamat Averbukh Azamat Averbukh - 3 years ago 246
C Question

Why does a PF_PACKET RAW socket stop missing packets after "Wireshark" was launched?

I need to receive incoming UDP packets using RAW socket, which is being opened using this code snippet:

static int fd;
char *iface;

iface = "eth0";

if ( (fd = socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_IP))) < 0 )

if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, iface, strlen(iface)) < 0)

I send, say, 100 identical packets and try to receive and count them.
I use recv(...) to do this.
Only 93 packets are delivered, and then recv(...) hangs waiting for next ones. But if I run "Wireshark" (which uses libpcap) on the receiving side computer and make it listen on "eth0" to UDP packets, then my app will always catch 100 packets without any problems.

I can't understand what I'm actually doing wrong, and why does "Wireshark" influence my socket receiver as well?

P.S. I already tried to increase receive buffer size, but no success.

nnn nnn
Answer Source

By default, Wireshark is setting the network interface in promiscuous mode, using libpcap:

Try adding this setsockopt call in your code, to see if it helps.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download