On Mon, Jan 31, 2005 at 02:50:15AM -0800, Guy Harris wrote: > Karsten Keil wrote: > > >Hmm, I think it should be become a general feature, since filtering for > >inbound/outbound for pppd based connections is a common problem and not > >Linux specific. > > But overwriting the 0xff might, or might not, be the way it's done on > all other platforms. (Also, can't the address and control bytes be > negotiated away on a PPP connection? If so, there's no place to put the > direction flag; if any platform supports negotiating it away, it'd > *have* to use a different mechanism.) >
Yes of course this is a problem (note most PPP connections use header compression) but it is solved for filtering, filters always need a well defined header, regardless what is sent on the wire. So the activ/pass filter always run after decompress (incoming) or before additional compression (outgoing) - in this case (de)compression include stripping/reinserting optional header bytes. So the paket which is sent trough the filter always has the same header struct with the modified first byte. > Even if other platforms use it, it should still be tied to pppd, e.g. > DLT_PPPD_PPP_WITHDIRECTION, or perhaps just DLT_PPPD, to indicate that > it's only the way that the direction is supplied with the special > filtering for the benefit of pppd, and that this isn't supplied with > normal PPP captures. Maybe PPPD people should decide the name, but it should be decided now and not changed afterwards again, it make trouble enough to detect, if the correct version of libpcap is installed and fallback to not in/out capable filter if not. At the moment even actual pppd will fallback to DLT_PPP, because DLT_PPP_WITHDIRECTION is not longer defined in current snapshoots. > > >Note FreeBSD still use DLT_PPP yet and so run into the same problems with > >libpcap 0.8X (it cannot filter OUT/IN bound) with DLT_PPP of libpcap 0.8X > >versions, in libpcap 0.7X it was possible, because the in/outbound flag was > >implemented in DLT_PPP in the same way as now DLT_PPP_WITH_DIRECTION does. > > But 0.7x allowed you to specify inbound or outbound when capturing on a > PPP link, the fact that it didn't work nonwithstanding, so 0.8x is doing > the right thing here (libpcap's primary purpose is for packet capture). Yes of course and that was the reason why I request finally a new DLT and not want to change back to old behavior. -- Karsten Keil SuSE Labs ISDN development - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
