Styjun

Adding things to bunches of things vs multiplication

Tabularx with hline and overrightarrow vertical spacing

Just one file echoed from an array of files

Meaning and structure of headline "Hair it is: A List of ..."

Atmospheric methane to carbon

What are these protruding elements from SU-27's tail?

Uploaded homemade mp3 to icloud music library, now "not available in my country or region"

Can others monetize my project with GPLv3?

How can I train a replacement without them knowing?

Why did St. Jerome use "virago" in Gen. 2:23?

Chess software to analyze games

Why do aircraft leave cruising altitude long before landing just to circle?

Are unaudited server logs admissible in a court of law?

How do we test and determine if a USB cable+connector is version 2, 3.0 or 3.1?

Check disk usage of files returned with spaces

Control GPIO pins from C

Radix2 Fast Fourier Transform implemented in C++

Is there a commercial liquid with refractive index greater than n=2?

Starships without computers?

My new Acer Aspire 7 doesn't have a Legacy Boot option, what can I do to get it?

Can I submit a paper computer science conference using an alias if using my real name can cause legal trouble in my original country

Does the Temple of the Gods spell nullify critical hits?

Rotate List by K places

Earliest evidence of objects intended for future archaeologists?

ARP transmission delays promiscuous capture (libpcap/wireshark)

Wireshark localhost traffic captureWhy libpcap captures incomplete packets?Capturing mobile phone traffic on WiresharkLibpcap does not capture whole packetDisplay packet's detail using libpcap like WiresharkDifferent order of packets in Wireshark vs tcpdump/libpcap?How to install wireshark by yum but depend libpcap which is build installSet timeout to unresponded hosts in ARP request with libpcapRTP Packet Loss with Freeswitch in Default Mode for a Video CallAdditional byte (0x00) arbitrarily added to the end Ethernet frames sent from Virtualbox VM

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

0

I have two machines: TX and RX. RX runs a libpcap application to sniff out and receive traffic on a dedicated ethernet port.

TX transmits a continuous stream of UDP packets holding MPEG-TS.

Whether using the libpcap app or wireshark, every once in a while there is gap between received packets of almost 1 second.

I've tracked this down to something to do with ARP.

TX Machine

Running wireshark on the sender shows packets being sent at regular intervals:

RX Machine

Here's what wireshark shows on the receiver:

There is a 999ms gap in receiving the two packets just before the ICMP packet sent by the receiver.

The time gap is very consistent and presents with both Wireshark and compiled libpcap app written in C++. Time gap always just before ICMP is sent by RX.

The receiver must be fully promiscuous and faithfully capture and report what's on the wire.

Disabling the ICMP port unreachable messages by setting arp_ignore is not a solution; the sender cannot send any data without knowing the MAC address of RX.

Is this a problem with libpcap?

This seems like purely a receiver-side issue but much searching has not come up with any solution.

I need a faithful capture from the wire. Something to modify somewhere?

Reference

The libpcap app is using the latest version, 1.9.0. Wireshark says:

Running on Linux 4.4.127-1.el6.elrepo.i686, with locale en_US.UTF-8,
with libpcap version 1.9.0-PRE-GIT (with TPACKET_V3), with libz 1.2.3,
GnuTLS 2.8.5, Gcrypt 1.4.5, without AirPcap.

network-programming wireshark libpcap

share|improve this question

asked Mar 27 at 13:50

DannyDanny

1,05411 gold badge1515 silver badges2525 bronze badges

add a comment | 

0

I have two machines: TX and RX. RX runs a libpcap application to sniff out and receive traffic on a dedicated ethernet port.

TX transmits a continuous stream of UDP packets holding MPEG-TS.

Whether using the libpcap app or wireshark, every once in a while there is gap between received packets of almost 1 second.

I've tracked this down to something to do with ARP.

TX Machine

Running wireshark on the sender shows packets being sent at regular intervals:

RX Machine

Here's what wireshark shows on the receiver:

There is a 999ms gap in receiving the two packets just before the ICMP packet sent by the receiver.

The time gap is very consistent and presents with both Wireshark and compiled libpcap app written in C++. Time gap always just before ICMP is sent by RX.

The receiver must be fully promiscuous and faithfully capture and report what's on the wire.

Disabling the ICMP port unreachable messages by setting arp_ignore is not a solution; the sender cannot send any data without knowing the MAC address of RX.

Is this a problem with libpcap?

This seems like purely a receiver-side issue but much searching has not come up with any solution.

I need a faithful capture from the wire. Something to modify somewhere?

Reference

The libpcap app is using the latest version, 1.9.0. Wireshark says:

Running on Linux 4.4.127-1.el6.elrepo.i686, with locale en_US.UTF-8,
with libpcap version 1.9.0-PRE-GIT (with TPACKET_V3), with libz 1.2.3,
GnuTLS 2.8.5, Gcrypt 1.4.5, without AirPcap.

network-programming wireshark libpcap

share|improve this question

asked Mar 27 at 13:50

DannyDanny

1,05411 gold badge1515 silver badges2525 bronze badges

add a comment | 

I have two machines: TX and RX. RX runs a libpcap application to sniff out and receive traffic on a dedicated ethernet port.

TX transmits a continuous stream of UDP packets holding MPEG-TS.

Whether using the libpcap app or wireshark, every once in a while there is gap between received packets of almost 1 second.

I've tracked this down to something to do with ARP.

TX Machine

Running wireshark on the sender shows packets being sent at regular intervals:

RX Machine

Here's what wireshark shows on the receiver:

There is a 999ms gap in receiving the two packets just before the ICMP packet sent by the receiver.

The time gap is very consistent and presents with both Wireshark and compiled libpcap app written in C++. Time gap always just before ICMP is sent by RX.

The receiver must be fully promiscuous and faithfully capture and report what's on the wire.

Disabling the ICMP port unreachable messages by setting arp_ignore is not a solution; the sender cannot send any data without knowing the MAC address of RX.

Is this a problem with libpcap?

This seems like purely a receiver-side issue but much searching has not come up with any solution.

I need a faithful capture from the wire. Something to modify somewhere?

Reference

The libpcap app is using the latest version, 1.9.0. Wireshark says:

Running on Linux 4.4.127-1.el6.elrepo.i686, with locale en_US.UTF-8,
with libpcap version 1.9.0-PRE-GIT (with TPACKET_V3), with libz 1.2.3,
GnuTLS 2.8.5, Gcrypt 1.4.5, without AirPcap.

network-programming wireshark libpcap

share|improve this question

asked Mar 27 at 13:50

DannyDanny

1,05411 gold badge1515 silver badges2525 bronze badges

share|improve this question

asked Mar 27 at 13:50

DannyDanny

1,05411 gold badge1515 silver badges2525 bronze badges

share|improve this question

asked Mar 27 at 13:50

DannyDanny

1,05411 gold badge1515 silver badges2525 bronze badges

asked Mar 27 at 13:50

DannyDanny

1,05411 gold badge1515 silver badges2525 bronze badges

asked Mar 27 at 13:50

DannyDanny

1,05411 gold badge1515 silver badges2525 bronze badges