Re: [WinPcap-users] does winpcap work with adapter with multiple IP addresses?
--- Gisle Vanem [EMAIL PROTECTED] wrote: (please don't start a new thread by replying to a previous unrelated posting. It messes up threaded email clients and the web-mail archive). sorry about this. Next time I will be more careful. Jinhai Yang said: I'm looking at set up proper filter rules for an adapter with two IP addresses. My question is: Does winpcap work with adapter with multiple IP addresses? I looked at the code, seems to me pcap_lookupnet() and pcap_compile() both assume one IP address per adapter. Yes, pcap_lookupnet() returns only the 1st address. It says so plainly in the comment in inet.c: We need only the first IPv4 address, so we must scan the array returned by PacketGetNetInfo() in order to skip non IPv4 (i.e. IPv6 addresses). You can probably circumvent this by calling PacketGetNetInfoEx() and extract the correct address before calling pcap_compile(). Not sure how this works. pcap_compile() takes a netmask as input. So if I have 3 addresses (each with different netmask) assigned to the NIC, I need to call pcap_compile() 3 times? Will that screw up/overwrite some internal structures? What you suggested would work if I want to see traffic through one of the addresses, but what I want to see all the traffic (with some filtering rules, of course) coming through the NIC (from any address). But are you sure Windows doesn't create two devices in this case? (one for each address. The 2nd being some pseudo device one can use to route through to the 1st device. I know it does that for Terredo/IPv6 tunneling). I don't think windows created two devices in this case. If you run ipconfig /all, it will just show two IP addresses under the same adapter. I know in some cases, a virtual adapter will be created under Windows, but I don't think this is the case. PS. What would be the proper description of such a box? I thought multihomed means a box with 1 adapter and 1 address each. Is this a multihomed box too? --gv According to MS white paper Microsoft Windows 2000 TCP/IP Implementation Details, multihomed simply means a box with more than one IP address, that includes both a) multiple IPs per NIC, and b) multiple physical NICs per box. Or maybe a combination of both. Thanks for the reply. Jinhai __ Do you Yahoo!? Yahoo! Photos: High-quality 4x6 digital prints for 25ยข http://photos.yahoo.com/ph/print_splash == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] does winpcap work with adapter with multiple IP addresses?
(please don't start a new thread by replying to a previous unrelated posting. It messes up threaded email clients and the web-mail archive). Jinhai Yang said: I'm looking at set up proper filter rules for an adapter with two IP addresses. My question is: Does winpcap work with adapter with multiple IP addresses? I looked at the code, seems to me pcap_lookupnet() and pcap_compile() both assume one IP address per adapter. Yes, pcap_lookupnet() returns only the 1st address. It says so plainly in the comment in inet.c: We need only the first IPv4 address, so we must scan the array returned by PacketGetNetInfo() in order to skip non IPv4 (i.e. IPv6 addresses). You can probably circumvent this by calling PacketGetNetInfoEx() and extract the correct address before calling pcap_compile(). But are you sure Windows doesn't create two devices in this case? (one for each address. The 2nd being some pseudo device one can use to route through to the 1st device. I know it does that for Terredo/IPv6 tunneling). PS. What would be the proper description of such a box? I thought multihomed means a box with 1 adapter and 1 address each. Is this a multihomed box too? --gv == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] does winpcap work with adapter with multiple IP addresses?
On Apr 19, 2004, at 1:46 PM, Jinhai Yang wrote: I'm looking at set up proper filter rules for an adapter with two IP addresses. My question is: Does winpcap work with adapter with multiple IP addresses? (This is actually a generic libpcap issue, so my answer applies on UN*X as well as Windows.) I looked at the code, seems to me pcap_lookupnet() and pcap_compile() both assume one IP address per adapter. pcap_lookupnet() does assume one IP address per adapter; pcap_findalldevs() doesn't. pcap_compile() does handle only one IP address per adapter - but the *ONLY* place where it uses the netmask is in tests for IP broadcast addresses. In the windump code(tcpdump.c), pcap_lookupnet() only returns the first IP address of the adapter. Pcap_compile() then takes the netmask returned by pcap_lookupnet(). What happens if the adapter has two IP addresses and they have different netmasks? What happens is that filter expressions that include ip broadcast check only for broadcast addresses for the first netmask. (Note, by the way, that ip broadcast doesn't check for 255.255.255.255.) *Everything else* works fine. Am I missing something? What should I do to make it work for multiple IPs per adapter case? Either 1) don't use ip broadcast or 2) add a new API to libpcap to allow multiple netmasks to be supplied and use that. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] does winpcap work with adapter with multiple IP addresses?
Hi. Why don't you use pcap_findalldevs() or pcap_findalldevs_ex()? It returns a list of adapters (i.e. pcap_if structures), each one containing a list of the IPv4 and IPv6 addresses associated to each adapter. In particular, there's a example in the developer's pack (iflist) showing how to obtain the list of addresses for each adapter. The same example is present in the tutorial part of the winpcap documentation, available online at Have a nice day GV - Original Message - From: Gisle Vanem [EMAIL PROTECTED] To: WinDump [EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 2:38 PM Subject: Re: [WinPcap-users] does winpcap work with adapter with multiple IP addresses? (please don't start a new thread by replying to a previous unrelated posting. It messes up threaded email clients and the web-mail archive). Jinhai Yang said: I'm looking at set up proper filter rules for an adapter with two IP addresses. My question is: Does winpcap work with adapter with multiple IP addresses? I looked at the code, seems to me pcap_lookupnet() and pcap_compile() both assume one IP address per adapter. Yes, pcap_lookupnet() returns only the 1st address. It says so plainly in the comment in inet.c: We need only the first IPv4 address, so we must scan the array returned by PacketGetNetInfo() in order to skip non IPv4 (i.e. IPv6 addresses). You can probably circumvent this by calling PacketGetNetInfoEx() and extract the correct address before calling pcap_compile(). But are you sure Windows doesn't create two devices in this case? (one for each address. The 2nd being some pseudo device one can use to route through to the 1st device. I know it does that for Terredo/IPv6 tunneling). PS. What would be the proper description of such a box? I thought multihomed means a box with 1 adapter and 1 address each. Is this a multihomed box too? --gv == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Fw: [WinPcap-users] does winpcap work with adapter with multiple IP addresses?
- Original Message - From: Gianluca Varenni [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 21, 2004 9:10 AM Subject: Re: [WinPcap-users] does winpcap work with adapter with multiple IP addresses? Hi. Why don't you use pcap_findalldevs() or pcap_findalldevs_ex()? It returns a list of adapters (i.e. pcap_if structures), each one containing a list of the IPv4 and IPv6 addresses associated to each adapter. In particular, there's a example in the developer's pack (iflist) showing how to obtain the list of addresses for each adapter. The same example is present in the tutorial part of the winpcap documentation, available online at oops... it's at http://winpcap.polito.it/docs/docs31beta/html/group__wpcap__tut2.html Have a nice day GV - Original Message - From: Gisle Vanem [EMAIL PROTECTED] To: WinDump [EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 2:38 PM Subject: Re: [WinPcap-users] does winpcap work with adapter with multiple IP addresses? (please don't start a new thread by replying to a previous unrelated posting. It messes up threaded email clients and the web-mail archive). Jinhai Yang said: I'm looking at set up proper filter rules for an adapter with two IP addresses. My question is: Does winpcap work with adapter with multiple IP addresses? I looked at the code, seems to me pcap_lookupnet() and pcap_compile() both assume one IP address per adapter. Yes, pcap_lookupnet() returns only the 1st address. It says so plainly in the comment in inet.c: We need only the first IPv4 address, so we must scan the array returned by PacketGetNetInfo() in order to skip non IPv4 (i.e. IPv6 addresses). You can probably circumvent this by calling PacketGetNetInfoEx() and extract the correct address before calling pcap_compile(). But are you sure Windows doesn't create two devices in this case? (one for each address. The 2nd being some pseudo device one can use to route through to the 1st device. I know it does that for Terredo/IPv6 tunneling). PS. What would be the proper description of such a box? I thought multihomed means a box with 1 adapter and 1 address each. Is this a multihomed box too? --gv == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
