[Winpcap-users] first ethernet pkt gobbled by the next one...

Har Yash Bahadur har.bahadur at conexant.com
Mon Apr 7 13:12:15 GMT 2008

Hi Maria and everybody,

Thanks for your feedback. I am facing another very interesting issue in the same setup and this is more like what you have reported.

The scenario:
Win-XP-PC host application sends a special request to the device. This request requires the device to send back two Ethernet packets as the length of the response is around 2K bytes (and we limit the Ethernet payload to less than <1518 bytes). So the device firmware splits the payload and forms two Ethernet packets and sends them one after another, back to the PC host.
What I observe is, that, the first packet is over-written by the one that follows it. Even Ethereal doesn't show two packets coming back on the interface!!!!
(I believe Ethereal also uses WinPcap)

I know for sure that the device IS sending two packets in succession, because I have a similar application running on a Linux host which works correctly. The Ethereal running on Linux host also shows two responses for such special request.

Who is gobbling up the packet? And why? And how? Surely there must be sufficient memory in Network adaptor Card.
I have played with the params of "pcap_open_live" but to no success.

I hope to get some inputs on this very interesting race condition.

Har Yash

-----Original Message-----
From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Maria de Fatima Requena
Sent: Friday, April 04, 2008 12:14 PM
To: winpcap-users at winpcap.org
Subject: RE: [Winpcap-users] FW: problem with WinPcap... stops working!

I think some of us are suffering from the same problem. Someone suggested me from wireshark list that the issue must be NIC working faster than what disk can read/write

Im trying to 'tune' the application changing flag in pcap_open to 16 (max_responsiveness), and playing with the value of read timeout, but I don't get much

Let's see if we get to a solution amongst all.

María de Fátima Requena Cabot (2488)
+34 91 787 23 00 alhambra-eidos.es

De: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] En nombre de Har Yash Bahadur
Enviado el: viernes, 04 de abril de 2008 8:22
Para: winpcap-users at winpcap.org
Asunto: [Winpcap-users] FW: problem with WinPcap... stops working!

I am attaching the ethereal log. After the first NBNS query is intercepted by the handler it stops getting other packets, even though the packets of the last two request-response pairs are seen by ethereal.

The WinPcap version we have used is 4.0.3 and the APIs used in application are:
1.     pcap_findalldevs
2.             if ((adhandle = pcap_open_live(d->name,           // name of the device
                              1530,  //65536,  portion of the packet to capture.
                          // 65536 grants that the whole packet will be captured on all the MACs.
                              1,// promiscuous mode (nonzero means promiscuous)
                              1000,// read timeout
                              errbuf// error buffer
                              )) == NULL)
* pcap_breakloop
* pcap_close
* pcap_sendpacket
* pcap_loop

From: Har Yash Bahadur
Sent: Friday, April 04, 2008 11:29 AM
To: 'winpcap-users at winpcap.org'
Subject: RE: problem with WinPcap... stops working!

For the 2nd point on Problem Description:
Another point to note is that I can see the traffic on Ethereal, both the request and response are taking place, but the handler registered by the application with WinPcap is not getting invoked after it was invoked due to a "spurious" pkt.

From: Har Yash Bahadur
Sent: Friday, April 04, 2008 11:18 AM
To: winpcap-users at winpcap.org
Subject: problem with WinPcap... stops working!

Hi! All,

I have written a simple application using WinPcap to send and receive L2-level (MAC) packets to a hardware device connected to my PC through Ethernet. The details of the setup are as follows:

1. The device runs software which sends back the packets received through the RJ-45 cable. The device has an integrated VMAC and its MAC address is known to the application running on PC beforehand.
2. The host (Windows PC running XP) has a Network adaptor card and its MAC address is known to the application.
3. The Application on PC-host prepares L2 packets in the following format:    | Dest MAC Addr | Src MAC addr | Protocol Type=0x88e1|  PAYLOAD |
4. The application then uses WinPcap APIs to send and receive packets to the hardware device; on a Request - Response basis.
5. The host is not connected to any LAN. It has been assigned a static IP, but it has other services running which keep sending out queries as if the PC were on a LAN.

Problem Description:
1. The packets which are sent out for the device are also received by the handler registered with WinPcap. This was mitigated by putting a filter in the handler using the protocol type (0x88e1) and the source Mac address as criteria-so that application gets only those packets which are SENT by the device to the PC.
2. A bigger problem is that sometimes, after some "other" packets are received (and duly rejected by the handler), the communication seems to stop/hang. There is no crash as such, but the packet handler seems stop working.

I am new to WinPcap; if you guys had a similar experience then please give me some clues.  Thanks!

Har Yash

Conexant E-mail Firewall (Conexant.Com) made the following annotations
********************** Legal Disclaimer ****************************

"This email may contain confidential and privileged material for the sole use of the intended recipient. Any unauthorized review, use or distribution by others is strictly prohibited. If you have received the message in error, please advise the sender by reply email and delete the message. Thank you."


Winpcap-users mailing list
Winpcap-users at winpcap.org

More information about the Winpcap-users mailing list