Sorry if this a lame question. I'm new to tcpdump and pcap. I am using the pcap static lib to develop and application which listens to TCP data on a specified port. I have a small prototype built up and it works well when sniffing tcp packets sent over port 80 (the default from HTTP). However I would like to view HTTP packets to and from port 5984 (this is the default port that CouchDB uses). My application does not notice/sniff/see any packets on this port for some reason. Being that I am not a seasoned network developer I am probably missing something fundamental.
I don't want to paste the whole application here but I can add any code that is necessary to find the problem. Please just let me know.
This is the my pcap filter expression:
char filter_exp[] = "tcp port 5984";/* The filter expression */
The filter compiles and is set on the pcap session without a problem. The session is set to run in promiscuous mode.
//get a pcap session
//args device, # of packets to capture, promisc mode, timeout, err buff
handle = pcap_open_live(dev, BUFSIZ, 1, 1000, errbuf);
if (handle == NULL) {
fprintf(stderr, "Couldn't open device %s: %s\n", dev, errbuf);
return(2);
//compile our filter
if (pcap_compile(handle, &fp, filter_exp, 0, net) == -1) {
fprintf(stderr, "Couldn't parse filter %s: %s\n", filter_exp, pcap_geterr(handle));
return(2);
}
//set the filter
if (pcap_setfilter(handle, &fp) == -1) {
fprintf(stderr, "Couldn't install filter %s: %s\n", filter_exp, pcap_geterr(handle));
return(2);
}
//begin sniffing packets. cnt -1: keep sniffing until err occurs
//last arg is optional. It can be used to pass additonal information to callback
pcap_loop(handle, -1, got_packet, NULL);
'got_packet' is my callback function. This is called many times using the same filter but with port 80 in place of 5984.
Using Curl I have tried: $ curl http://localhost:5984/test
Just for the hell of it I have trying using the loopback: $ curl http://127.0.0.1:5984/test
These both go unnoticed by my pcap application. However if I change my filter to listen on port 80 and do a $ curl http://www.google.com
I can see the packets coming through. What am I overlooking or not understanding?
Thanks a lot!
-Nick
If the packets are going from your Mac to the same Mac - for example, if you're communicating with "localhost" or 127.0.0.1 (which are the same thing - "localhost" resolves to 127.0.0.1), capture on lo0, not on en0 or en1. Traffic to 127.0.0.1 doesn't get sent on any real network, it gets looped back internally to your machine, so you have to look on the "loopback" network and the "loopback" interface for it.
(Similar answers apply for other UN*Xes, except that on Linux, the loopback interface is called just lo, not lo0. There's no equivalent on Windows, and on some versions of UN*X, such as Solaris 10 and earlier, you can't capture on the loopback interface.)