Re: scan_sys_class_net bug in pcap-linux.c

[Paul Sheer <paulsheer () gmail com>]

cool

i would encourage tcpdump-workers to try to eventually support opening up
multiple devices and listening on all of them

for instance, the command,

     tcpdump -e -i any

that would show output like:

   11:42:25.170257     >eth1    00:24:bf:5b:d4:d6 > 00:0c:29:f7:7f:e9,
ethertype IPv4 (0x0800), length ....
   11:42:25.171312     <eth2    00:30:c1:9d:8d:80 > 00:22:54:7b:41:06,
ethertype IPv4 (0x0800), length ....

(where ">eth1"  means  "arrived at eth1", and "<eth2" means "sent by eth2" )

is *extremely* useful.

-paul


On Wed, Dec 5, 2012 at 5:24 PM, Guy Harris <guy () alum mit edu> wrote:

> On Dec 5, 2012, at 2:56 PM, Paul Sheer <paulsheer () gmail com> wrote:
>
> > I would like to capture on all interfaces, but I would also like to
> know, with each packet, what interface it arrived on and left out of.
> > This information is contained within the Linux kernel skbuff.
> >
> > But pcap does not see it.
>
> What's really wanted there is a new API and pcap-ng support, so that the
> interface ID and interface information can be present in the capture file.
>  You could capture with multiple pcap_t's, one for each interface, but not
> with the "any" device, as that doesn't supply the interface index.
>
> > I also want to see both source and destination hardware addresses of the
> Ethernet packet (if it is Ethernet).
> > I guess this feature requires kernel changes.
>
> If the kernel allows an unbound PF_PACKET/SOCK_RAW socket, you could get
> that, but filtering would be difficult unless all interfaces have the same
> ARPHRD_ type - in-kernel filtering might apply to the socket, in which case
> it might be difficult or impossible to do it (the BPF program would have to
> determine the link-layer header type for the packet and jump to the
> appropriate filtering code), and userland filtering might be tricky as well
> (it would have to determine the link-layer header type for each interface
> and apply the appropriate filter).
>
> If you do this by capturing on multiple pcap_t's, that's easier.
>
> > The second problem is that tcpdump seems to have no way of listening on
> all interfaces. So if you are trying to track SCTP packets that use two
> separate interfaces, it seems you have to use wireshark instead.
>
> The only way tcpdump currently supports for listening on all interfaces is
> the "any" device.  If it could write pcap-ng files, it could do the same
> thing Wireshark does - open multiple pcap_t's and capture on all of them.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers