tcpdump mailing list archives
Re: scan_sys_class_net bug in pcap-linux.c
From: Guy Harris <guy () alum mit edu>
Date: Wed, 5 Dec 2012 15:24:57 -0800
On Dec 5, 2012, at 2:56 PM, Paul Sheer <paulsheer () gmail com> wrote:
I would like to capture on all interfaces, but I would also like to know, with each packet, what interface it arrived on and left out of. This information is contained within the Linux kernel skbuff. But pcap does not see it.
What's really wanted there is a new API and pcap-ng support, so that the interface ID and interface information can be present in the capture file. You could capture with multiple pcap_t's, one for each interface, but not with the "any" device, as that doesn't supply the interface index.
I also want to see both source and destination hardware addresses of the Ethernet packet (if it is Ethernet). I guess this feature requires kernel changes.
If the kernel allows an unbound PF_PACKET/SOCK_RAW socket, you could get that, but filtering would be difficult unless all interfaces have the same ARPHRD_ type - in-kernel filtering might apply to the socket, in which case it might be difficult or impossible to do it (the BPF program would have to determine the link-layer header type for the packet and jump to the appropriate filtering code), and userland filtering might be tricky as well (it would have to determine the link-layer header type for each interface and apply the appropriate filter). If you do this by capturing on multiple pcap_t's, that's easier.
The second problem is that tcpdump seems to have no way of listening on all interfaces. So if you are trying to track SCTP packets that use two separate interfaces, it seems you have to use wireshark instead.
The only way tcpdump currently supports for listening on all interfaces is the "any" device. If it could write pcap-ng files, it could do the same thing Wireshark does - open multiple pcap_t's and capture on all of them. _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Fwd: scan_sys_class_net bug in pcap-linux.c Paul Sheer (Oct 31)
- Re: scan_sys_class_net bug in pcap-linux.c Guy Harris (Dec 02)
- Re: scan_sys_class_net bug in pcap-linux.c Paul Sheer (Dec 04)
- Re: scan_sys_class_net bug in pcap-linux.c Guy Harris (Dec 03)
- Re: scan_sys_class_net bug in pcap-linux.c Paul Sheer (Dec 04)
- Re: scan_sys_class_net bug in pcap-linux.c Guy Harris (Dec 05)
- Re: scan_sys_class_net bug in pcap-linux.c Paul Sheer (Dec 05)
- Re: scan_sys_class_net bug in pcap-linux.c Guy Harris (Dec 05)
- Re: scan_sys_class_net bug in pcap-linux.c Paul Sheer (Dec 06)
- Re: scan_sys_class_net bug in pcap-linux.c Paul Sheer (Dec 04)
- Re: scan_sys_class_net bug in pcap-linux.c Guy Harris (Dec 02)