Re: incoming v/s outgoing packets?

[Guy Harris <gharris () sonic net>]

On Wed, Jun 04, 2003 at 12:46:28AM -0700, Ben Greear wrote:
> Is there any fool-proof way to determine if a packet
> was coming into the interface v/s going out the interface
> when looking at a libpcap dump file?

No.

It is not always the case that the packet capture mechanism used by
libpcap even supplies that information; the libpcap capture file format
thus doesn't include that information.

On an interface where there are no link-layer addresses, you're
completely out of luck in that case, unless the machine is doing no
routing and you can thus look at the network-layer address (and even
then it works only for packets that *have* network-layer addresses).

On an interface where there are link-layer addresses, you can try to
determine whether a packet is incoming or outgoing by seeing whether the
link-layer address is that of the interface or not.  I don't know
whether that's guaranteed or not.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe