tcpdump mailing list archives
Re: relation of pcap_setdirection and inbound/outbound filter qualifiers
From: Guy Harris <guy () alum mit edu>
Date: Tue, 27 Nov 2012 16:18:29 -0800
On Nov 27, 2012, at 1:10 PM, Sam Roberts <vieuxtech () gmail com> wrote:
We'd like to distinguish between ethernet frames received on an interface, and sent, and due to the nature of the traffic, we can't rely on the addressing information in the packets. Currently, we do this with an external tap, that generates seperate pcaps for each direction. Works fine, but needs special hardware. We'd rather just bridge through a multi-port linux server. I note that libpcap has pcap_setdirection(), and someone tried to introduce a -P flag to set it (http://sourceforge.net/tracker/?func=detail&aid=2845468&group_id=53066&atid=469575). Is that because the "host inbound"/"host outbound" qualifiers in the pcap-filter syntax do the same thing? They aren't very well described, what do they mean for packets traversing a bridge setup using linux ebtables?
And despite the dire warnings in the docs, is inbound and outbound, pcap_setdirection supported with libpcap 0.8 and Linux >= 3.5?
What pcap_setdirection() does depends on the underlying capture mechanism: some capture mechanisms (e.g., BPF on some platforms) support only a "don't show me outgoing packets" flag (probably intended mostly for programs *other* than protocol analyzers, e.g. programs using BPF directly, or through libpcap or some other library, to implement a protocol atop a link layer such as Ethernet); some capture mechanisms (e.g., newer versions of BPF on some platforms) support the ability to discard your choice of incoming or outgoing packets (or maybe both, but that's not very useful - you can get the same thing much more easily by opening and reading from /dev/null :-)); some capture mechanisms (e.g. Linux PF_PACKET sockets) support *reporting* the direction and thus leave it up to libpcap to do the actual discarding. What "inbound" and "outbound" capture filters do depends on the underlying *link-layer type* as well as on the underlying capture mechanism. For most link-layer types and most capture mechanisms, there's no metadata indicating whether the packet is incoming or outgoing, and "inbound" and "outbound" aren't supported; the only link-layer types that provide that metadata are: SLIP (no, not PPP, *SLIP*); Solaris IPNET; Linux "cooked mode"; PF logging; some specialized formats used in capture files from Juniper devices. In newer versions of libpcap Linux, for *live* captures, they're also supported on other link-layer types, as the PF_PACKET mechanism supplies that information; the filtering is done in the kernel there by generating special BPF instructions to look at the metadata in question. That information isn't available in the capture file, so it's not supported on savefiles. As for how they're defined, you'll have to dive into the kernel code path; "outgoing" means "somebody set the pkt_type field in the skbuff for the packet to PACKET_OUTGOING", so it's a question of what pkt_type gets set to for the packets in question. _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- relation of pcap_setdirection and inbound/outbound filter qualifiers Sam Roberts (Nov 27)
- Re: relation of pcap_setdirection and inbound/outbound filter qualifiers Guy Harris (Nov 27)