We'd like to distinguish between ethernet frames received on an interface, and sent, and due to the nature of the traffic, we can't rely on the addressing information in the packets.
Currently, we do this with an external tap, that generates seperate pcaps for each direction. Works fine, but needs special hardware. We'd rather just bridge through a multi-port linux server. I note that libpcap has pcap_setdirection(), and someone tried to introduce a -P flag to set it (http://sourceforge.net/tracker/?func=detail&aid=2845468&group_id=53066&atid=469575). Is that because the "host inbound"/"host outbound" qualifiers in the pcap-filter syntax do the same thing? They aren't very well described, what do they mean for packets traversing a bridge setup using linux ebtables? And despite the dire warnings in the docs, is inbound and outbound, pcap_setdirection supported with libpcap 0.8 and Linux >= 3.5? Thanks, Sam _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers