tcpdump mailing list archives
Re: Filter incoming or leaving packets
From: Aaron Turner <synfinatic () gmail com>
Date: Fri, 27 Feb 2009 08:04:38 -0800
On Fri, Feb 27, 2009 at 6:53 AM, Johan Mazel <johan.mazel () gmail com> wrote:
Hello I would like to know if there is a way to use pcap_compile() to filter only incoming packets or only leaving packets in a host/network interface ? I search in the snort doc and in this tutorial ( http://yuba.stanford.edu/~casado/pcap/section3.html), I found stuff linked to the filtering of packets coming or going from/to one host in particular but nothing about incoming/leaving packets. Thanks in advance for the help. Johan Mazel
That's a really old tutorial. On some operating systems (I don't think it's fully cross platform) you can use pcap_setdirection(). In other cases, writing a BPF filter to look for packets with a source MAC of the listening host is good enough to get outbound only, while looking for anything else is good enough for inbound. -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Filter incoming or leaving packets Johan Mazel (Feb 27)
- Re: Filter incoming or leaving packets Aaron Turner (Feb 27)
- Re: Filter incoming or leaving packets Johan Mazel (Mar 03)
- Re: Filter incoming or leaving packets Guy Harris (Mar 03)
- Re: Filter incoming or leaving packets Johan Mazel (Mar 04)
- Re: Filter incoming or leaving packets Johan Mazel (Mar 03)
- Re: Filter incoming or leaving packets Aaron Turner (Feb 27)