This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Detecting UDP packets on simplex channel of a tap using SW API

0

Background. Have a lab setup involving multiple PC's with add-in 4-slot NIC cards, and a manufactured box with static IP addresses, all connected using Ethernet cable. Our plan was to insert a tap (Black Box 10/100 Aggregate Copper Tap) into one of the data connections between the box and PC#1, with the straight-thru connection going to PC#1, and a second Ethernet cable connecting to PC#2 from the tap's "A" output; ie we want the traffic going from the box to PC#1. The PC's are on a company network using their system board NIC and the usual dynamic IP address allocation, while the static IP addresses are on the add-in cards (1 add-in card per PC).

Problem. Wireshark seems to be in agreement on both PC's, as to traffic info. Most important, it can see the uni-directional traffic on the tap output line. But my software app cannot seem to do so.

Question: Can high-level network socket SW API's recognize UDP packets on this type of tap output line? For now, I just want to know if it's possible or not. I'm attempting to use MS Visual Studio C#'s socket API set, since the rest of the app is in C#. We have C++ apps that do this, but they all use the WinPCap API interface to do so. So, before I switch over to use the WinPCap API, I'm wondering if I'm screwing up somewhere in the C# socket initialization code.

Thanks for any insights.

asked 30 Sep '15, 12:25

StevenSperling's gravatar image

StevenSperling
11114
accept rate: 0%


One Answer:

0

You should look into WHY these C++ apps all use the WinPcap API instead of the high-level network socket API. They can't all be wrong in choosing that over the 'normal' network socket API?

Fact is, you need low level access to the network. Since the high level sockets are not involved in a connection they will not present you with the tap line traffic. You may be able to tweak the options of a specific type of socket to get at this, but then you basically are reinventing parts of WinPcap. Might be worth to look at HOW these C++ apps use the WinPcap API. As for porting that to C# I've got no clue.

answered 01 Oct '15, 01:40

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Is it that by using the WinPCap interface they can put the NIC into promiscuous mode?

(01 Oct '15, 03:44) grahamb ♦

To Jaap: Thanks for the input. And you are correct I believe with the tweak option; saw a post that indicated a raw packet socket option that would probably see the data at least. To Grahamb: Correct.

(01 Oct '15, 06:14) StevenSperling