I think the CPU usage is a bit high for such tool. After some experimentation with PCAP, I am able to decrease the CPU usage without losing any packets. Here the patch.
It's kind of hard to see what exactly changed here, but it seems you:
1) instead of BUFSIZ you're using a fixed value of 56. any reason for this?
2) I was doing a usleep of 0.1ms when there were no packets to be read. You changed 2 things: changed it to 100ms and sleep every iteration.
Indeed pcap will not lose packets, but it is also important that packets are handled quickly: nethogs looks at /proc/net/tcp to find out which process a packet belongs to, and if we wait too long, the connection might have disappeared from /proc/net/tcp. For this reason, I want to read packets as quickly as possible.
3) you're not passing 'errbuf' to 'dp_open_live' anymore, instead allocating it on the stack. Why?
4) you're not using pcap_open_live but instead pcap_create. why?