On Sun, Aug 03, 2003 at 12:13:43PM -0700, Andrew Konstantinov wrote: > 1) Is there any way how I can specify in the filter description that it should match > only incoming packets on some interface? inbound/outbound keywords work only for > 'slip' (according to tcpdump man page). I could do that with 'not src host' and then > put the local hostname after that, but is there a more general solution, without the > need for local hostname or ip address?
You need to call pcap_open_live() with the appropriate device argument, if you wish to monitor individual interfaces. Unfortunately the pcap interface doesn't support a means of passing the interface name to a callback handler function. So you'd have to rewrite pcap_loop() to call pcap_dispatch() for individual pcap_t's for each interface you pay specific attention to. Most pcap apps I've written that do anything elaborate require me to override pcap_loop() anyway. Perhaps there's a good candidate for extending the interface so that this sort of thing can be more easily done. > 2) I can't figure out how to setup a filter so it could match several ports at once. > For example, I want the filter to only match 21-25 and 113 ports for incoming > traffic. How do I do that? Right know I can see only two solutions. I could simply > sniff all the traffic, and then filter out the interesting ports by myself, or I > could setup several filters each of which would be responsible for a specific port. > But both solutions seem to be inefficient. Is there a better way to accomplish this? This is on PHK's kernel hacker TODO list! Patches gratefully accepted... http://people.freebsd.org/~phk/TODO/ BMS _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
