tcpdump mailing list archives

Re: pcap_findalldevs, pcap_addr doesn't have AF_INET entries on OSX

From: Guy Harris <guy () alum mit edu>
Date: Sun, 3 Apr 2011 10:14:52 -0700


On Apr 2, 2011, at 7:40 PM, Bob wrote:

Hello, I just noticed that no AF_INET address is returned when getting an interface list (from pcap_findalldevs) on 
OSX even when an IPv4 address is assigned to that interface. An AF_INET6 address is however returned.  Is this the 
expect behavior?


No:

$ sudo ./findalldevstest
Password:

        ...

ppp0
        Loopback: no
        Address Family: Unknown (18)
        Address Family: AF_INET
                Address: {censored}
                Netmask: 255.0.0.0
                Destination Address: {censored}

utun0
        Loopback: no
        Address Family: Unknown (18)
        Address Family: AF_INET6
                Address: {censored}
                Netmask: ffff:ffff:ffff:ffff::
                Destination Address: {censored}
        Address Family: AF_INET6
                Address: {censored}
                Netmask: ffff:ffff:ffff:ffff::
                Destination Address: {censored}

en1
        Loopback: no
        Address Family: Unknown (18)
        Address Family: AF_INET6
                Address: {censored}
                Netmask: ffff:ffff:ffff:ffff::
        Address Family: AF_INET
                Address: 10.0.1.4
                Netmask: 255.255.255.0
                Broadcast Address: 10.0.1.255

lo0
        Loopback: yes
        Address Family: Unknown (18)
        Address Family: AF_INET6
                Address: ::1
                Netmask: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        Address Family: AF_INET6
                Address: fe80::1
                Netmask: ffff:ffff:ffff:ffff::
        Address Family: AF_INET
                Address: 127.0.0.1
                Netmask: 255.0.0.0
        Address Family: AF_INET6
                Address: fdf0:3858:d17b:6465:223:32ff:fe9e:23b6
                Netmask: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Are you checking *ALL* the addresses in the address lists for the interfaces, or just the *first* address?  
pcap_findalldevs() doesn't return *an* address per interface, it returns a list of zero or more addresses, so you have 
to look at all of them.

Am I do something wrong?


If you're assuming that the "addresses" pointer in a pcap_if_t points to the one-and-only address for the interface, 
yes, you're doing something wrong.

Also, any suggestions for a cross-platform means of getting a MAC address (AF_LINK).


Unfortunately, it's platform-dependent.  At some pointer we'll probably have APIs in libpcap to return interface 
information in the form of a pcap-ng Interface Description Block:

        http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionidb

which will be able to supply MAC addresses as well as IPv4 and IPv6 addresses.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

pcap_findalldevs, pcap_addr doesn't have AF_INET entries on OSX Bob (Apr 02)
- Re: pcap_findalldevs, pcap_addr doesn't have Sam Roberts (Apr 03)
- Re: pcap_findalldevs, pcap_addr doesn't have AF_INET entries on OSX Guy Harris (Apr 03)
  - Re: pcap_findalldevs, pcap_addr doesn't have AF_INET entries on OSX Bob (Apr 03)
    - Re: pcap_findalldevs, pcap_addr doesn't have AF_INET entries on OSX Guy Harris (Apr 03)