Re: Promiscuous mode and BPF filters?

[Claudio Lavecchia <Claudio.Lavecchia () eurecom fr>]

Guy Harris wrote:

>     if it *does* use "pcap_compile()" and "pcap_setfilter()", i.e. it 
> already does packet filtering, it *adds* to the filter an expression 
> to reject all the traffic from laptop B, i.e. instead of filtering 
> with an expression X, you filter with "(not wlan src 
> BB:BB:BB:BB:BB:BB) and (X)", where "BB:BB:BB:BB:BB:BB" is the source 
> MAC address of laptop B's 802.11 card.
>
> It will not be the solution if you expect it to be able to filter out 
> packets transparently to libpcap - there's only one filter per packet 
> capture "handle", and libpcap uses that for its filtering.  (That also 
> applies if you're not using libpcap, but are directly opening a 
> PF_PACKET socket - the only difference in that case is that your 
> application contains code that duplicates what libpcap does, and that 
> code has the same limitations as libpcap, as the limitation of "one 
> filter per handle" is an OS limitation.)

That is pretty much what I wanted to realize and of course it is 
working. At the beginning I was looking for a "clean" way to tell to the 
interface that is set in promiscuous mode, not to send out the packets 
that were matching the address of laptop B. Of course the solution of 
not letting the sniffer process packets that I do not want to "see" 
works. At the beginning I just felt it was cleaner to setup things 
outside the sniffer code, but that was just for design sake.

Thx a lot

Claudio
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.