0

I want to only capture the traffic sent or destined to my local machine (no promiscuous mode). Nevertheless, broadcast traffic should also be captured.

So, the question is how to open the adapter? Which flags should be used? There is no specific flag for this kind of capture. I only found the following flags:

#define PCAP_OPENFLAG_PROMISCUOUS   1
// Defines if the adapter has to go in promiscuous mode. 

#define PCAP_OPENFLAG_DATATX_UDP   2
// Defines if the data trasfer (in case of a remote capture) has to be done with UDP protocol. 

#define PCAP_OPENFLAG_NOCAPTURE_RPCAP   4
// Defines if the remote probe will capture its own generated traffic. 

#define PCAP_OPENFLAG_NOCAPTURE_LOCAL   8
// Defines if the local adapter will capture its own generated traffic. 

#define PCAP_OPENFLAG_MAX_RESPONSIVENESS   16
// This flag configures the adapter for maximum responsiveness.

So, should I open the adapter in promiscuous mode and set an appropriate filter? Or is there a better possibility to achieve this goal (better in terms of less processing by the WinPCAP capture driver)?

Thanks for clarification! jonas

Jonas
  • 2,974
  • 4
  • 24
  • 23

1 Answers1

1

I want to only capture the traffic sent or destined to my local machine (no promiscuous mode).

Then don't turn promiscuous mode on.

Nevertheless, broadcast traffic should also be captured.

Broadcast traffic will always be captured (unless you specify a filter, such as !broadcast, that explicitly filters it out).

  • Thanks for your answer. So, just for my clarification, you suggest me to set the flag value to 0, yes? Would you furthermore, set a filter? E.g. what if another pcap application, for instance Wireshark, is running in promiscuous mode? What happens if I just set the flag to 0 and don't use a filter. Will my application receive in this case all frames, although those not destined to the machine? Thanks again! – Jonas May 07 '14 at 07:36
  • "you suggest me to set the flag value to 0, yes?" Yes. "Would you furthermore, set a filter?" Only if you want to further limit the packets you see. –  May 07 '14 at 18:12
  • "E.g. what if another pcap application, for instance Wireshark, is running in promiscuous mode?" I'm not sure - it depends on whether each *instance* of a driver such as the WinPcap driver has a separate "filter" in the NDIS sense (which is *NOT* a filter in the pcap sense; promiscuous vs. non-promiscuous is part of the NDIS "filter"), or each *driver* does. The Microsoft documentation doesn't make this clear. –  May 07 '14 at 18:18