pcap_register

[David Fifield <david () bamsoftware com>]

On Thu, Feb 25, 2010 at 04:36:44PM -0600, Kris Katterjohn wrote:
> > The BPF filter alone won't prohibit one script from receiving another
> > script's packets. As I understand it, that's the purpose of the extra
> > pcap_register step. You could make the matching more robust by
> > registering all the information that you currently have in the BPF,
> > which is the source and destination hosts as well as the source port.
>
> I'm not understanding the purposefulness of this.  Why is one script with a
> filter for one host still getting packets from another host responding to a
> different script?  Matching source ports or not, I don't think it should
> happen because of the different address *in the filter*.  It's all raw packets
> here, so I don't grasp why this isn't done.
>
> I thought the pcap_register() bit was like additional filtering, after the
> processing pcap does with its BPF filter.  I thought it was very useful when
> things change, like the source port in the script, but only if (as I imagined)
> it happens after pcap's filtering.
>
> In this regard, I wanted to put as much in the BPF filter as I could to reduce
> the pcap_register() stuff, so if the filter doesn't really filter for the
> script, I must ask: what's the point of having both?  Or better yet: what
> advantages does the current way present?

It's more complicated than you would think at first. Marek Majkowski
explained to me a little while ago, but I don't think I understand it
well enough to speak authoritatively. I'll copy him on this and maybe he
can tell you more about it.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/