Missing packets when "sniffing" with winsock.

Giganews Newsgroups
Subject: Missing packets when "sniffing" with winsock.
Posted by:  fp (free.pref…@gmail.com)
Date: 5 Mar 2007

Hello All,

I am trying to write a small sniffer using winsock to sniff network
packets.
Everything works great except that in a relatively large scale of
traffic the "sniffer" seems to be
missing packets.

var
  counter : integer;
  rSocket : TSocket;
  Data : array [0..8000] of byte;
  WSAData: TWSAData;
  BytesReceived : dword;

begin
WSAStartup(WINSOCK_VERSION, WSAData);
rSocket := Socket(PF_INET, SOCK_RAW, IPPROTO_ICMP);
if (rSocket <> INVALID_SOCKET) then begin
      SockAddrIn.sin_family := AF_INET;
      SockAddrIn.sin_addr := GetInAddr;
      SockAddrIn.sin_port := htons(0);
      bind(rSocket, @SockAddrIn, SizeOf(SockAddrIn));
      WSAIoctl(rSocket, IOC_RCVALL, @Control, SizeOf(Control), nil, 0,
@BytesReceived, nil, nil);
      counter:=0;
      while rSocket <> INVALID_SOCKET do
      begin
        wbuf.len:=sizeof (data);
        wbuf.buf:=@data;
        dwFlags := 0;
        BytesReceived:=0;
        res:=WSARecv(rSocket, @wbuf, 1, BytesReceived, dwFlags, nil,
nil);
        if res=0 then begin
        counter:=counter+1;
        writeln ('got packets number:',counter);
        end;
    end;

The above is using a WSARecv loop in order to read the packets.
I am using two more programs first I am running Ethereal to sniff ICMP
packets, then I am running this program and another program that
generates ICMP packets. When ethereal shows for example 500 ICMP
packets, my program shows only around 450, i.e. it is missing packets
that Ethereal was able to capture.
Am I missing something here ? Is there a better implementation that
should be designed using winsock in order not to lose any packets on a
user-mode level and not kernel mode drivers ?

-fp

Replies