Subject: libpcap: ethernet in/outbound support
Package: libpcap0.8
Version: 0.9.5-1
Severity: wishlist
Hi!
Sorry for my english, I'm not a native english language.
I use tcpdump and I see:
manson:~# tcpdump -i eth1 inbound
tcpdump: inbound/outbound not supported on linktype 1
manson:~# tcpdump -i eth1 outbound
tcpdump: inbound/outbound not supported on linktype 1
I write a little patch for it:
--- gencode.c 2007-07-10 21:38:15.000000000 +0200
+++ gencode.c 2007-10-28 16:36:47.000000000 +0100
@@ -6352,7 +6352,7 @@
gen_loadi(0),
dir);
break;
-
+
case DLT_LINUX_SLL:
if (dir) {
/*
@@ -6389,6 +6389,21 @@
}
break;
+ /* New support inbound/outbound ethernet devices
+ * We can to use it with promiscue mode!! */
+ case DLT_EN10MB:
+ /* ethernet flags (including direction) are stored
+ * the byte after the 3-byte magic number */
+ if (dir) {
+ /* match outgoing packets */
+ b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
+ } else {
+ /* incoming packets */
+ b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
+ }
+
+ break;
+
case DLT_JUNIPER_MFR:
case DLT_JUNIPER_MLFR:
case DLT_JUNIPER_MLPPP:
Example INBOUND:
manson:/home/whyx/code/tcpdump# tcpdump -i eth1 inbound
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
19:56:04.742368 arp reply 192.168.1.1 is-at 00:17:c2:59:1f:3c (oui
Unknown)
19:56:04.798405 IP 192.168.1.1.domain >
host722.homenet.telecomitalia.it.1049: 57729 NXDomain 0/0/0 (42)
19:56:04.902140 IP host722.homenet.telecomitalia.it.mdns >
224.0.0.251.mdns: 0 PTR? 1.1.168.192.in-addr.arpa. (42)
19:56:05.746272 arp reply 192.168.1.1 is-at 00:17:c2:59:1f:3c (oui
Unknown)
19:56:05.906306 IP host722.homenet.telecomitalia.it.mdns >
224.0.0.251.mdns: 0 PTR? 1.1.168.192.in-addr.arpa. (42)
19:56:06.750265 arp reply 192.168.1.1 is-at 00:17:c2:59:1f:3c (oui
Unknown)
19:56:07.754258 arp reply 192.168.1.1 is-at 00:17:c2:59:1f:3c (oui
Unknown)
Example OUTBOUND:
manson:/home/whyx/code/tcpdump# tcpdump -i eth1 outbound
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
19:57:10.977497 arp who-has 192.168.1.1 (00:17:c2:59:1f:3c (oui
Unknown)) tell host722.homenet.telecomitalia.it
19:57:10.980351 IP host722.homenet.telecomitalia.it.1049 >
192.168.1.1.domain: 23549+ PTR? 1.1.168.192.in-addr.arpa. (42)
19:57:11.981368 arp who-has 192.168.1.1 (00:17:c2:59:1f:3c (oui
Unknown)) tell host722.homenet.telecomitalia.it
19:57:12.985344 arp who-has 192.168.1.1 (00:17:c2:59:1f:3c (oui
Unknown)) tell host722.homenet.telecomitalia.it
19:57:13.456378 IP host722.homenet.telecomitalia.it.2168 >
irc.caltanet.it.9999: . ack 2596360304 win 16022 <nop,nop,timestamp
2501189 441258615>
Thank you
Andrea
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: powerpc (ppc)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-powerpc
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Versions of packages libpcap0.8 depends on:
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared
libraries
libpcap0.8 recommends no packages.
-- no debconf information
--- gencode.c 2007-07-10 21:38:15.000000000 +0200
+++ gencode.c 2007-10-28 16:36:47.000000000 +0100
@@ -6352,7 +6352,7 @@
gen_loadi(0),
dir);
break;
-
+
case DLT_LINUX_SLL:
if (dir) {
/*
@@ -6389,6 +6389,21 @@
}
break;
+ /* New support inbound/outbound ethernet devices
+ * We can to use it with promiscue mode!! */
+ case DLT_EN10MB:
+ /* ethernet flags (including direction) are stored
+ * the byte after the 3-byte magic number */
+ if (dir) {
+ /* match outgoing packets */
+ b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
+ } else {
+ /* incoming packets */
+ b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
+ }
+
+ break;
+
case DLT_JUNIPER_MFR:
case DLT_JUNIPER_MLFR:
case DLT_JUNIPER_MLPPP: