From owner-freebsd-hackers@FreeBSD.ORG Mon Aug 4 09:03:58 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8637F37B405 for ; Mon, 4 Aug 2003 09:03:58 -0700 (PDT) Received: from hysteria.spc.org (hysteria.spc.org [195.206.69.234]) by mx1.FreeBSD.org (Postfix) with SMTP id 4A9CD43F75 for ; Mon, 4 Aug 2003 09:03:57 -0700 (PDT) (envelope-from bms@hysteria.spc.org) Received: (qmail 28979 invoked by uid 5013); 4 Aug 2003 16:01:21 -0000 Date: Mon, 4 Aug 2003 17:01:21 +0100 From: Bruce M Simpson To: Andrew Konstantinov , freebsd-hackers@freebsd.org Message-ID: <20030804160121.GB27970@spc.org> Mail-Followup-To: Bruce M Simpson , Andrew Konstantinov , freebsd-hackers@freebsd.org References: <20030803191343.GA1224@andruxa.sytes.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030803191343.GA1224@andruxa.sytes.net> User-Agent: Mutt/1.4.1i Organization: SPC Subject: Re: libpcap X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 16:03:58 -0000 On Sun, Aug 03, 2003 at 12:13:43PM -0700, Andrew Konstantinov wrote: > 1) Is there any way how I can specify in the filter description that it should match only incoming packets on some interface? inbound/outbound keywords work only for 'slip' (according to tcpdump man page). I could do that with 'not src host' and then put the local hostname after that, but is there a more general solution, without the need for local hostname or ip address? You need to call pcap_open_live() with the appropriate device argument, if you wish to monitor individual interfaces. Unfortunately the pcap interface doesn't support a means of passing the interface name to a callback handler function. So you'd have to rewrite pcap_loop() to call pcap_dispatch() for individual pcap_t's for each interface you pay specific attention to. Most pcap apps I've written that do anything elaborate require me to override pcap_loop() anyway. Perhaps there's a good candidate for extending the interface so that this sort of thing can be more easily done. > 2) I can't figure out how to setup a filter so it could match several ports at once. For example, I want the filter to only match 21-25 and 113 ports for incoming traffic. How do I do that? Right know I can see only two solutions. I could simply sniff all the traffic, and then filter out the interesting ports by myself, or I could setup several filters each of which would be responsible for a specific port. But both solutions seem to be inefficient. Is there a better way to accomplish this? This is on PHK's kernel hacker TODO list! Patches gratefully accepted... http://people.freebsd.org/~phk/TODO/ BMS