Re: Packet Direction with PCAP

[Guy Harris <guy () alum mit edu>]

On Apr 8, 2004, at 6:52 AM, Fabio Duarte wrote:

> Hi, some weeks ago I asked about how I could know if a pcap captured 
> packet was tranmitted to or received from the network. Well, I found a 
> patch that solves this problem and it might help some people. It only 
> works for linux 2.4.x and later, but it could be used as reference for 
> other platforms.

It changes the "pcap_pkthdr" structure.

That structure is not used in capture files, so this would work only 
for live captures, not saved captures - and if you also changed 
"pcap_sf_pkthdr", you'd have to change the capture file magic number.

It adds a field to that structure - but it adds it to the end of the 
structure, so it probably won't break most applications, unless, for 
example, those applications write such a structure to files, in which 
case the same problem as mentioned in the previous paragraph exists.  
However, if an application dynamically linked with libpcap assumes that 
field is present, it won't work on systems with older versions of the 
libpcap dynamically-linked (shared) library.

We have plans for changes to the libpcap file format that will allow us 
to add information such as the direction of the packet; we would have a 
new packet header structure that includes that information, which would 
be supplied to applications using a new API (those applications would 
also get the other new information we'd be adding as well; old 
applications would continue to work unchanged).

We would also add an API to request that packets sent by the machine 
not be captured; there exist mechanisms on at least some platforms to 
implement that, although not all platforms would necessarily support 
that.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.