Juan Pedro Muñoz Gea wrote: > Hi all, > > I'm using pcap library to capture live packets. > I want to distinguish incoming and outgoing captured packets > in an interface in promiscuous mode, without examining the payload, but I > don't know the way to do it. > > Using the PF_PACKET sockets family, if we use > the "recvfrom" function and a "struct sockaddr_ll" in the "from" field, we > can use the "struct sockaddr_ll.sll_pkttype" to know > if the captured packet is a PACKET_OUTGOING. > But I don't know if the there is something similar in the pcap library. > > Also, I would like knowing if I might to apply a "FILTER" > for all the incoming packets, and so, I would only receive > the incoming packets.
yes that is supported and supposed to work. you may look in the manpage for the keywords "inbound" and "outbound" HTH, /hannes - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
