Re: relation of pcap_setdirection and inbound/outbound filter qualifiers

[Guy Harris <guy () alum mit edu>]

On Nov 27, 2012, at 1:10 PM, Sam Roberts <vieuxtech () gmail com> wrote:

> We'd like to distinguish between ethernet frames received on an
> interface, and sent, and due to the nature of the traffic, we can't
> rely on the addressing information in the packets.
>
> Currently, we do this with an external tap, that generates seperate
> pcaps for each direction. Works fine, but needs special hardware. We'd
> rather just bridge through a multi-port linux server.
>
> I note that libpcap has pcap_setdirection(), and someone tried to
> introduce a -P flag to set it
> (http://sourceforge.net/tracker/?func=detail&aid=2845468&group_id=53066&atid=469575).
>
> Is that because the "host inbound"/"host outbound"  qualifiers in the
> pcap-filter syntax do the same thing? They aren't very well described,
> what do they mean for packets traversing a bridge setup using linux
> ebtables?

> And despite the dire warnings in the docs, is inbound and outbound,
> pcap_setdirection supported with libpcap 0.8 and Linux >= 3.5?

What pcap_setdirection() does depends on the underlying capture mechanism:

        some capture mechanisms (e.g., BPF on some platforms) support only a "don't show me outgoing packets" flag 
(probably intended mostly for programs *other* than protocol analyzers, e.g. programs using BPF directly, or through 
libpcap or some other library, to implement a protocol atop a link layer such as Ethernet);

        some capture mechanisms (e.g., newer versions of BPF on some platforms) support the ability to discard your 
choice of incoming or outgoing packets (or maybe both, but that's not very useful - you can get the same thing much 
more easily by opening and reading from /dev/null :-));

        some capture mechanisms (e.g. Linux PF_PACKET sockets) support *reporting* the direction and thus leave it up 
to libpcap to do the actual discarding.

What "inbound" and "outbound" capture filters do depends on the underlying *link-layer type* as well as on the 
underlying capture mechanism.  For most link-layer types and most capture mechanisms, there's no metadata indicating 
whether the packet is incoming or outgoing, and "inbound" and "outbound" aren't supported; the only link-layer types 
that provide that metadata are:

        SLIP (no, not PPP, *SLIP*);

        Solaris IPNET;

        Linux "cooked mode";

        PF logging;

        some specialized formats used in capture files from Juniper devices.

In newer versions of libpcap Linux, for *live* captures, they're also supported on other link-layer types, as the 
PF_PACKET mechanism supplies that information; the filtering is done in the kernel there by generating special BPF 
instructions to look at the metadata in question.  That information isn't available in the capture file, so it's not 
supported on savefiles.

As for how they're defined, you'll have to dive into the kernel code path; "outgoing" means "somebody set the pkt_type 
field in the skbuff for the packet to PACKET_OUTGOING", so it's a question of what pkt_type gets set to for the packets 
in question.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers