[Winpcap-users] Monitoring multiple network interfaces

Tue Dec 8 09:31:29 PST 2009

Gianluca Varenni wrote:
> ----- Original Message ----- 
> From: "soulstone" <soulstone at gmx.de>
> To: <winpcap-users at winpcap.org>
> Sent: Tuesday, December 08, 2009 6:16 AM
> Subject: Re: [Winpcap-users] Monitoring multiple network interfaces
> 
> 
>>
>> Gianluca Varenni wrote:
>>> ----- Original Message ----- 
>>> From: "soulstone" <soulstone at gmx.de>
>>> To: <winpcap-users at winpcap.org>
>>> Sent: Sunday, December 06, 2009 12:59 PM
>>> Subject: Re: [Winpcap-users] Monitoring multiple network interfaces
>>>
>>>
>>>> Gianluca Varenni wrote:
>>>>> ----- Original Message ----- 
>>>>> From: "soulstone" <soulstone at gmx.de>
>>>>> To: <winpcap-users at winpcap.org>
>>>>> Sent: Friday, December 04, 2009 7:02 AM
>>>>> Subject: Re: [Winpcap-users] Monitoring multiple network interfaces
>>>>>
>>>>>
>>>>>> Gianluca Varenni wrote:
>>>>>>> ----- Original Message ----- 
>>>>>>> From: "soulstone" <soulstone at gmx.de>
>>>>>>> To: <winpcap-users at winpcap.org>
>>>>>>> Sent: Thursday, December 03, 2009 8:49 AM
>>>>>>> Subject: [Winpcap-users] Monitoring multiple network interfaces
>>>>>>>
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I've tried to monitor multiple networ interfaces installed on
>>>>>>>> a system.
>>>>>>>> The reason is that I need to monitor network traffic to determine
>>>>>>>> whether a user navigates to a given url.
>>>>>>>>
>>>>>>>> I'd rather capture only packages from the interface which is 
>>>>>>>> connected
>>>>>>>> to the internet but I don't know how to find out which one I need.
>>>>>>>>
>>>>>>>> So I tried to monitor all interfaces.
>>>>>>>> I did this by creating one thread per interface which calls 
>>>>>>>> pcap_loop.
>>>>>>>> But this doesn't work.
>>>>>>> What do you mean by "it doesn't work"?
>>>>>> 1. I use pcap_findalldevs to get all devices.
>>>>>> 2. I open every interface by pcap_open_live.
>>>>>> 3. I use a loop to itter through all interfaces and spawn
>>>>>> a seperated thread for each call of pcap_loop(Desc, 0, @PacketHandler,
>>>>>> Err).
>>>>>>
>>>>>> Usually after that the method PacketHandler would be called
>>>>>> if I only invoke pcap_look for the correct interface with internet
>>>>>> access.
>>>>>> But if I try to monitor multiple interfaces the function PacketHandler
>>>>>> isn't called anymore.
>>>>>>
>>>>>> I also tried to reverse the loop (the first interface is coincidental
>>>>>> the one with internet access) it works.
>>>>> What's the name of the interface with real traffic? What OS are you
>>>>> running
>>>>> on?
>>>> Why does the name of the interface matter? I know which one works on my
>>>> computer but I need a way to identify the one with real traffic also for
>>>> other users without user interaction.
>>>>
>>>> I used XP, Vista, Win7 for my tests.
>>>> I've multiple network interfaces installed on these machines.
>>>>
>>> I want to know if you are capturing from the interface called "Generic
>>> dialup/VPN interface" (or any VPN/dialup one)
>>>
>> I don't capture from a "Generic dialup/VPN interface".
>> E.g. there are two normal network interfaces and 2 virtual interfaces
>> created by virtualpc on one machine.
>> Maybe this could be a problem?
> 
> No.
> 
> What are the parameters passed to pcap_open_live? In interested in the 
> timeout value.
> Does pcap_loop ever return (even if PacketHandler is not called)?
> Can you please try using pcap_next_ex in your code and see what is the error 
> code returned by it?

pcap_open_live is called with:

P := _Pcap_Open_Live(IntfaceName
	, 65536  { packed size to sniff }
       	, 0     	
       	, 1000   { timeout }
       	, aErr);

Soon I'll reply because of the return values of pcap_next_ex.

> 
> Have a nice day
> GV
> 
> 
> 
>>> GV
>>>
>>>> Kind regards,
>>>>   dy
>>>>
>>>>> GV
>>>>>
>>>>>
>>>>>> Example code:
>>>>>>   // doesn't work
>>>>>>   for i := 0 to Length(Interfaces) - 1 do
>>>>>>   begin
>>>>>> // creates a thread which calls pcap_loop
>>>>>> SpawnMonitor(Interfaces[i];
>>>>>>   end;
>>>>>>
>>>>>>   // works, because our (now last) item is the correct NIC
>>>>>>   for i := Length(ValidP) - 1 downto 0 do
>>>>>>   begin
>>>>>> SpawnMonitor(Interfaces[i];
>>>>>>   end;
>>>>>>
>>>>>> So the problem is that PacketHandler isn't called for all devices.
>>>>>>
>>>>>> Kind regards,
>>>>>>   dy
>>>>>>
>>>>>>> GV
>>>>>>>
>>>>>>>> Specifying only one interface everything works fine.
>>>>>>>> Can I only monitor one interface at once or do I miss something?
>>>>>>>>
>>>>>>>> Maybe someone can give me an advice.
>>>>>>>>
>>>>>>>>
>>>>>>>> Kind regards,
>>>>>>>>   dy
>>>>>>>> _______________________________________________
>>>>>>>> Winpcap-users mailing list
>>>>>>>> Winpcap-users at winpcap.org
>>>>>>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>>>>>> _______________________________________________
>>>>>>> Winpcap-users mailing list
>>>>>>> Winpcap-users at winpcap.org
>>>>>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>>>>>>
>>>>>> _______________________________________________
>>>>>> Winpcap-users mailing list
>>>>>> Winpcap-users at winpcap.org
>>>>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>>>> _______________________________________________
>>>>> Winpcap-users mailing list
>>>>> Winpcap-users at winpcap.org
>>>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>>>>
>>>> _______________________________________________
>>>> Winpcap-users mailing list
>>>> Winpcap-users at winpcap.org
>>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>> _______________________________________________
>>> Winpcap-users mailing list
>>> Winpcap-users at winpcap.org
>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>>
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users 
> 
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
> 