Search code examples
c++libpcappacket-snifferswinpcapnetwork-interface

Does sniffing in loopback capture outside traffic?

i have a game server running on some port. I learned to sniff packets on loopback. So if i connect to it from same computer, the packets are captured.

But somebody can connect from other computer and the packet will not be sniffed.

The packets from some computer must pass through one of my interfaces. So should i sniff on that interface too inorder to get packets coming from both my computer and other computers?

Here is my program

#define IP_HL(ip)               (((ip)->ip_vhl) & 0x0f)
#define IP_V(ip)                (((ip)->ip_vhl) >> 4)
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#include <stdio.h>
#include <pcap.h>
#include <WS2tcpip.h>
#pragma comment(lib, "Ws2_32.lib")
void
got_packet(u_char* args, const struct pcap_pkthdr* header, const u_char* packet)
{
    for (int i = 0; i < (*header).len; i++)
    {
        printf("%d ", (unsigned char)packet[i]);
    }
    printf("\n");
    return;
}
int main(int argc, char* argv[])
{
    char* dev, errbuf[PCAP_ERRBUF_SIZE];
    pcap_if_t* interfaces, * temp;
    pcap_if_t* loopback = NULL;
    int i= pcap_findalldevs(&interfaces,errbuf);
    if (i == -1) {
        fprintf(stderr, "Couldn't find default device: %s\n", errbuf);
        return(2);
    }

    for (temp = interfaces; temp; temp = temp->next)
    {
        printf("%d ", temp->flags);
        printf("Name: %s with ", temp->name);

        printf(" %s \n", temp->description);
        if (temp->flags % 2 == 1)
        {
            printf("Loopback device found\n");
            loopback = temp;
        }
    }
    if (loopback == NULL)
    {
        printf("No loopback device found.\n Install npcap from nmap.org/npcap / ");
        return 0;
    }
    struct bpf_program fp;      /* The compiled filter expression */
    pcap_t* handle;
    char filter_exp[] = "port 8192";    /* The filter expression */
    bpf_u_int32 net = NULL;     /* The IP of our sniffing device */
    struct pcap_pkthdr header;  /* The header that pcap gives us */
    const u_char* packet;       /* The actual packet */
    handle = pcap_open_live(loopback->name, BUFSIZ, 1, 5000, errbuf);



    if (handle == NULL) {
        fprintf(stderr, "Couldn't open device %s: %s\n", loopback->name, errbuf);
        return(2);
    }
    if (pcap_compile(handle, &fp, filter_exp, 0, net) == -1) {
        fprintf(stderr, "Couldn't parse filter %s: %s\n", filter_exp, pcap_geterr(handle));
        return(2);
    }
    if (pcap_setfilter(handle, &fp) == -1) {
        fprintf(stderr, "Couldn't install filter %s: %s\n", filter_exp, pcap_geterr(handle));
        return(2);
    }

    pcap_loop(handle, -1, got_packet, NULL);
    pcap_close(handle);
    return(0);
}
Solution

  • So should i sniff on that interface too inorder to get packets coming from both my computer and other computers?

    Yes, you use do that - or, if you're running on Linux, you can capture on the "any" device, which should capture traffic on all interfaces.