On Dec 6, 2004, at 2:07 AM, Peter Sandford wrote:
I need to capture from 2 interfaces on a machine in promiscuous mode. This is because we are routing a copy of 2 load balanced streams onto a box for monitoring.
I'm aware it isn't possible (?) to listen on "any" with a pcap_open_live
in promiscuous as the flag is ignored,
The problem is that the "any" device, on Linux, is implemented by capturing on a socket that's not bound to any interface; this means that it can't be used to set promiscuous mode, as the Linux kernel doesn't, as far as I know, turn promiscuous mode on for all interfaces if you try to set promiscuous mode on an unbound socket.
but is there a way of listening on a set of interfaces in promiscuous mode?
Open multiple pcap_t's, get the file descriptors for them (use "pcap_get_selectable_fd()" if your libpcap has it, "pcap_fileno()" otherwise), and do a "select()" or "poll()" on them for reading. If a descriptor is marked as ready to read, do a "pcap_dispatch()" on the corresponding pcap_t.
Note that this should work on most non-Linux UN*Xes as well. To make this run on BSDs, you should put the descriptors in non-blocking mode (use "pcap_setnonblock()" if your libpcap has it, otherwise set non-blocking mode on the descriptor returned by "pcap_fileno()" - if it has "pcap_get_selectable_fd()", it has "pcap_setnonblock()"), set the timeout in the "select()" or "poll()" to the shortest timeout used in "pcap_open_live()" for any of the pcap_t's, and read from all of the pcap_t's when "select()" returns.
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
