Re: to recognize incoming and outgoing packets

[Hannes Gredler <hannes () juniper net>]

Juan Pedro Muñoz Gea wrote:
> Hi all,
>
> I'm using pcap library to capture live packets.
> I want to distinguish incoming and outgoing captured packets
> in an interface in promiscuous mode, without examining the payload, but I
> don't know the way to do it.
>
> Using the PF_PACKET sockets family, if we use
> the "recvfrom" function and a "struct sockaddr_ll" in the "from" field, we
> can use the "struct sockaddr_ll.sll_pkttype" to know
> if the captured packet is a PACKET_OUTGOING.
> But I don't know if the there is something similar in the pcap library.
>
> Also, I would like knowing if I might to apply a "FILTER"
> for all the incoming packets, and so, I would only receive
>  the incoming packets.

yes that is supported and supposed to work.
you may look in the manpage for the keywords "inbound" and "outbound"

HTH,

/hannes
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.