0

Sorry if this a lame question. I'm new to tcpdump and pcap. I am using the pcap static lib to develop and application which listens to TCP data on a specified port. I have a small prototype built up and it works well when sniffing tcp packets sent over port 80 (the default from HTTP). However I would like to view HTTP packets to and from port 5984 (this is the default port that CouchDB uses). My application does not notice/sniff/see any packets on this port for some reason. Being that I am not a seasoned network developer I am probably missing something fundamental.

I don't want to paste the whole application here but I can add any code that is necessary to find the problem. Please just let me know.

This is the my pcap filter expression:

 char filter_exp[] = "tcp port 5984";/* The filter expression */

The filter compiles and is set on the pcap session without a problem. The session is set to run in promiscuous mode.

    //get a pcap session
    //args device, # of packets to capture, promisc mode, timeout, err buff
    handle = pcap_open_live(dev, BUFSIZ, 1, 1000, errbuf);
    if (handle == NULL) {
        fprintf(stderr, "Couldn't open device %s: %s\n", dev, errbuf);
        return(2);

     //compile our filter
    if (pcap_compile(handle, &fp, filter_exp, 0, net) == -1) {
        fprintf(stderr, "Couldn't parse filter %s: %s\n", filter_exp, pcap_geterr(handle));
        return(2);
    }
    //set the filter
    if (pcap_setfilter(handle, &fp) == -1) {
        fprintf(stderr, "Couldn't install filter %s: %s\n", filter_exp, pcap_geterr(handle));
        return(2);
    }
    
    //begin sniffing packets. cnt -1: keep sniffing until err occurs
    //last arg is optional. It can be used to pass additonal information to callback
    pcap_loop(handle, -1, got_packet, NULL);

'got_packet' is my callback function. This is called many times using the same filter but with port 80 in place of 5984.

Using Curl I have tried: $ curl http://localhost:5984/test

Just for the hell of it I have trying using the loopback: $ curl http://127.0.0.1:5984/test

These both go unnoticed by my pcap application. However if I change my filter to listen on port 80 and do a $ curl http://www.google.com

I can see the packets coming through. What am I overlooking or not understanding?

Thanks a lot!

-Nick

Community
  • 1
  • 1
Nick
  • 19,198
  • 51
  • 185
  • 312
  • 1
    Which OS is this running on? And you are aware that establishing a connection to 127.0.0.1 is using a different device than the one used when `curl`ing google? – alk Jun 15 '13 at 17:27
  • Is the program running with administrative rights? – chacham15 Jun 15 '13 at 17:36
  • The program is not running with root access. @chacham Great point.. Ill try that. – Nick Jun 15 '13 at 21:37
  • @alk I am running this on Mac OSx 10.8.3 and No I was not aware that a different adapter would be used. – Nick Jun 15 '13 at 21:38

1 Answers1

2

If the packets are going from your Mac to the same Mac - for example, if you're communicating with "localhost" or 127.0.0.1 (which are the same thing - "localhost" resolves to 127.0.0.1), capture on lo0, not on en0 or en1. Traffic to 127.0.0.1 doesn't get sent on any real network, it gets looped back internally to your machine, so you have to look on the "loopback" network and the "loopback" interface for it.

(Similar answers apply for other UN*Xes, except that on Linux, the loopback interface is called just lo, not lo0. There's no equivalent on Windows, and on some versions of UN*X, such as Solaris 10 and earlier, you can't capture on the loopback interface.)

  • Thanks! I'm trying it. I did some reading up on loopbacks. This sounds like the answer. – Nick Jun 15 '13 at 23:45