Bug#457991: libpcap: ethernet in/outbound support

Tue, 30 Jun 2009 09:30:42 -0700 

Is there any reason this patch hasn't been looked at yet?

I've fixed the patch to apply to latest libpcap source (1.0.0-2), find
attached.

I'd find this a massively useful feature; often the direction matters.
E.g. to watch traffic relating to a local ssh server, ignoring local ssh
clients:

  tcpdump inbound tcp dest port 22 or outbound tcp src port 22

Without inbound/outbound support, it is impossible.




While we're at it, also it would be useful to have some selection on the
interface name when doing -i any. E.g. to watch what happens to traffic
being forwarded eth0 -> eth1:

  tcpdump -i any inbound iface eth0 or outbound iface eth1

Though admittedly this one would require more printing of details on the
output (namely, the direction and interface); I'd want to see something like:

  17:09:22.021483 IN  eth0 IP 192.168.2.1.domain > 192.168.2.221.56936: 24709 
NXDomain 0/1/0 (97)
  17:09:22.021504 OUT eth1 IP 192.168.2.1.domain > 192.168.2.221.56936: 24709 
NXDomain 0/1/0 (97)

which then becomes a bug also for tcpdump. But the low levels of this are
pcap's domain, at least.


Having looked over the LINUX_SLL link type I don't think it's possible
there, as pcap throws away the sll_pkttype and sll_ifindex fields.
Perhaps this would require a new LINUX_SLL2 link type?

I'd be happy to code this one up...

-- 
Paul "LeoNerd" Evans

leon...@leonerd.org.uk
ICQ# 4135350       |  Registered Linux# 179460
http://www.leonerd.org.uk/

--- gencode.c	2009-06-30 17:23:17.625545480 +0100
+++ gencode.c	2009-06-30 17:18:53.000000000 +0100
@@ -7243,6 +7243,19 @@
 	 * Only some data link types support inbound/outbound qualifiers.
 	 */
 	switch (linktype) {
+	case DLT_EN10MB:
+		/* ethernet flags (including direction) are stored
+		 * the byte after the 3-byte magic number */
+		if (dir) {
+			/* match outgoing packets */
+			b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
+		} else {
+			/* incoming packets */
+			b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
+		}
+
+		break;
+
 	case DLT_SLIP:
 		b0 = gen_relation(BPF_JEQ,
 			  gen_load(Q_LINK, gen_loadi(0), 1),

Attachment: signature.asc
Description: Digital signature

Reply via email to