Nmap Development mailing list archives
pcap_register
From: David Fifield <david () bamsoftware com>
Date: Thu, 25 Feb 2010 15:48:12 -0700
On Thu, Feb 25, 2010 at 04:36:44PM -0600, Kris Katterjohn wrote:
The BPF filter alone won't prohibit one script from receiving another script's packets. As I understand it, that's the purpose of the extra pcap_register step. You could make the matching more robust by registering all the information that you currently have in the BPF, which is the source and destination hosts as well as the source port.I'm not understanding the purposefulness of this. Why is one script with a filter for one host still getting packets from another host responding to a different script? Matching source ports or not, I don't think it should happen because of the different address *in the filter*. It's all raw packets here, so I don't grasp why this isn't done. I thought the pcap_register() bit was like additional filtering, after the processing pcap does with its BPF filter. I thought it was very useful when things change, like the source port in the script, but only if (as I imagined) it happens after pcap's filtering. In this regard, I wanted to put as much in the BPF filter as I could to reduce the pcap_register() stuff, so if the filter doesn't really filter for the script, I must ask: what's the point of having both? Or better yet: what advantages does the current way present?
It's more complicated than you would think at first. Marek Majkowski explained to me a little while ago, but I don't think I understand it well enough to speak authoritatively. I'll copy him on this and maybe he can tell you more about it. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: error compiling 5.21, (continued)
- Re: error compiling 5.21 Mike Calmus (Feb 23)
- Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Patrick Donnelly (Feb 17)
- Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Kris Katterjohn (Feb 17)
- Re: Raw IP NSE Functionality David Fifield (Feb 23)
- Re: Raw IP NSE Functionality Patrick Donnelly (Feb 23)
- Re: Raw IP NSE Functionality Patrick Donnelly (Feb 23)
- Re: Raw IP NSE Functionality Kris Katterjohn (Feb 23)
- Re: Raw IP NSE Functionality David Fifield (Feb 23)
- Re: Raw IP NSE Functionality David Fifield (Feb 25)
- Re: Raw IP NSE Functionality Kris Katterjohn (Feb 25)
- pcap_register David Fifield (Feb 25)
- Re: pcap_register majek04 (Feb 26)
- Re: pcap_register Kris Katterjohn (Feb 26)
- Re: Raw IP NSE Functionality kx (Feb 25)
- Re: Raw IP NSE Functionality David Fifield (Feb 25)
- Re: Raw IP NSE Functionality Kris Katterjohn (Feb 26)