pcap function: pcap_open() question
https://stackoverflow.com/questions/4566879
-
14-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
When I successfully find a device on my computer, and make the call to pcap_open(...) Is this giving me packets only going to and from my computer? What about other computes on the network? Does it show me packets that haven't been sent yet?
Solution
Short answers:
Depends, depends, and no.
Longer answers:
You need to understand a few things before the questions can be answered. First, you need to know that every packet sent on an ethernet network will contain an Ethernet header that specifies a source and destination address. These addresses belong to the Ethernet cards of the sender and intended receiver on the Ethernet network. Note, these are different from IP addresses. (See the address resolution protocol (ARP) for how the Ethernet addresses are found).
When a computer receives a packet whose Ethernet header's destination address matches its own Ethernet card's address, it processes it. Otherwise, it discards it.
If you have a bunch of computers plugged into a hub, for example, then when one computer sends a packet to another computer, ALL of the computers will see it since hubs simply broadcast every packet they receive on all the attached links. Only one computer will actually process the packet though, and that is the computer specified in the Ethernet header.
Now, onto pcap. You can capture packets in promiscuous mode or non-promiscuous mode (not sure if there is a better term for that).If your interface is in promiscuous mode, pcap will show ALL packets that are received on your interface, even if the destination of the packet does not match the destination of that interface. In non-promiscuous mode it will only show packets' whose destination field matches the address of your interface.
Now to answer your questions.
You will always see packets that are sent FROM your computer and always see packets that are destined specifically TO your computer. You MAY see packets sent FROM other computers depending on your network. You MAY see packets sent TO other computers on your network depending on your network. For example, if you are capturing packets on a WiFi interface, you can see packets that are destined and sent from other computers (because they are broadcast over the air and anyone in range can see them). Same thing for a hub, which broadcasts all packets it receives. If your adapter is in promiscuous mode, pcap will show them hence you can see traffic sent to/from other computers. If, on the other hand, your computer is plugged into a switch or router, you will only see your traffic because the switch/router will not send you other computer's traffic (read up on hubs/switches/routers to see why). Lastly, it will NOT show you packets that have not been sent yet since they have to be sent out an interface before pcap can see them.
