I've coded a packet sniffer using raw sockets and promiscuous mode and recv() function to capture packets. It works fine on one machine, but captures only incoming traffic on the other one.

My setup is this: modem is connected by cable to router. One machine is running Windows 7 is connected by cable directly to router. Sniffing on this machine goes well, I can capture all incoming and outgoing traffic.

I have another machine that is connected wireless to the router running Windows XP. Same sniffer on this one captures only incoming traffic. For some reason even some loopback local traffic is missed on this machine.

Is it a hardware, software limitation or I can actually do something for XP machine? Am I using the right function for receiving packets?

I take it you're using WinPCap.

I haven't done this stuff in years and I can't find the source now, but I remember there being a fix in XP SP 1 (I think) that restricted the visibility of outgoing packets.

I'll try to find it over the break, but there is definitely a restriction in there somewhere, I remember having to explain it to management when I ran into it.

Thanks, looking forward for this info. Sorry that I wasn't specific enough, I'm not using WinPCap or any other kind of downloadable libraries, drivers, etc, trying to write without involvement of any extrenal stuff. I guess my program should be similar to RawCap.

Raw sockets, that's it! You don't see outgoing packets using raw packets.

http://msdn.microsoft.com/en-gb/library/windows/desktop/ms740548%28v=vs.85%29.aspx

Limitations on Raw Sockets

On Windows 7, Windows Vista, Windows XP with Service Pack 2 (SP2), and Windows XP with Service Pack 3 (SP3), the ability to send traffic over raw sockets has been restricted in several ways:

TCP data cannot be sent over raw sockets.
UDP datagrams with an invalid source address cannot be sent over raw sockets. The IP source address for any outgoing UDP datagram must exist on a network interface or the datagram is dropped. This change was made to limit the ability of malicious code to create distributed denial-of-service attacks and limits the ability to send spoofed packets (TCP/IP packets with a forged source IP address).
A call to the bind function with a raw socket for the IPPROTO_TCP protocol is not allowed.

Note The bind function with a raw socket is allowed for other protocols (IPPROTO_IP, IPPROTO_UDP, or IPPROTO_SCTP, for example).

These above restrictions do not apply to Windows Server 2008 R2, Windows Server 2008 , Windows Server 2003, or to versions of the operating system earlier than Windows XP with SP2.

That's an interesting article, but it leaves me a bit confused. I don't use IPPROTO_TCP when creating my raw socket, I use IPPROTO_IP, does it make any difference? Unless my program shows incorrect data, when I'm analyzing traffic on Windows 7 machine if I put a filter of outgoing packets I get results which seem to be correct. At least I see same adresses and ports when checking with Winslock Packet Editor.

I indeed had some problems on Windows 7 machine before like incorrect data being shown, but I figured out it was firewall that was causing problems, after adding my program to exception list it seemed to work fine. Maybe it's firewall of Windows XP machine as well.