Monday, November 4, 2013

Opening a WinPcap Compatible Network Interface

Sometimes a network interface is WinPcap compatible meaning it can be opened with WinPcap, but opening it with the methods found in the example code for developers can fail. The examples usually show opening the interface using the PCAP_OPENFLAG_PROMISCUOUS. While that normally works fine for wired interfaces, wireless interfaces (WiFi 802.11) may not open - in fact according to a Winpcap-users post from 2008 regarding v4, "most of the wireless cards do not support promiscuous mode. The call to pcap_open with PCAP_OPENFLAG_PROMISCUOUS should fail" - see http://www.winpcap.org/pipermail/winpcap-users/2008-June/002532.html

Here is typical code from the examples:

pcap_t *hDev = pcap_open(deviceName, 65536, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errMsg1);

If it fails to open because the interface cannot support promiscuous mode, hDev is NULL and errMsg1 will contain a string like this: "failed to set hardware filter to promiscuous mode".

A good way of dealing with this is to first try opening the interface, then if hDev is NULL try opening it without the flag:

hDev = pcap_open(deviceName, 65536, 0, 1000, NULL, errMsg2);

Then if hDev is still NULL, report both errMsg1 and errMsg2 to the user. If they both fail you will need to avoid doing any further winpcap function calls except to do pcap_freealldevs because you most likely uses pcap_findalldevs_ex before trying to open an interface and it allocates the device list from which deviceName was found.

Why is opening an interface in promiscuous mode important? When a network interface card (NIC) is opened in promiscuous mode, all packets seen by the interface are captured and passed to the host system, while an interface opened normally only captures packets strictly intended for it alone. So if you are running a utility like NetScanTools Pro Packet Capture or Wireshark, you will most likely want to be running in promiscuous mode so you can see all the packets passing by the interface.

Applicability:
WinPcap v4.1.3 is the most current version as of this discussion. Please visit http://www.winpcap.org/

No comments: