Date: Mon, 4 Aug 2003 17:01:21 +0100 From: Bruce M Simpson <bms@spc.org> To: Andrew Konstantinov <andrei@andruxa.sytes.net>, freebsd-hackers@freebsd.org Subject: Re: libpcap Message-ID: <20030804160121.GB27970@spc.org> In-Reply-To: <20030803191343.GA1224@andruxa.sytes.net> References: <20030803191343.GA1224@andruxa.sytes.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Aug 03, 2003 at 12:13:43PM -0700, Andrew Konstantinov wrote: > 1) Is there any way how I can specify in the filter description that it should match only incoming packets on some interface? inbound/outbound keywords work only for 'slip' (according to tcpdump man page). I could do that with 'not src host' and then put the local hostname after that, but is there a more general solution, without the need for local hostname or ip address? You need to call pcap_open_live() with the appropriate device argument, if you wish to monitor individual interfaces. Unfortunately the pcap interface doesn't support a means of passing the interface name to a callback handler function. So you'd have to rewrite pcap_loop() to call pcap_dispatch() for individual pcap_t's for each interface you pay specific attention to. Most pcap apps I've written that do anything elaborate require me to override pcap_loop() anyway. Perhaps there's a good candidate for extending the interface so that this sort of thing can be more easily done. > 2) I can't figure out how to setup a filter so it could match several ports at once. For example, I want the filter to only match 21-25 and 113 ports for incoming traffic. How do I do that? Right know I can see only two solutions. I could simply sniff all the traffic, and then filter out the interesting ports by myself, or I could setup several filters each of which would be responsible for a specific port. But both solutions seem to be inefficient. Is there a better way to accomplish this? This is on PHK's kernel hacker TODO list! Patches gratefully accepted... http://people.freebsd.org/~phk/TODO/ BMS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030804160121.GB27970>