If you want the information badly enough and you're dealing with IP packets, you could crack open the IP headers and compare the source address with the address of the interface you're doing the capture on. (Note that destination addresses are trickier because machines can also receive broadcasts and multicasts.) That's not as nice as if pcap would do the job for you, but it would work. If you're using a Unix variant, there's probably an OS call to get the machine's IP address (I don't remember offhand whether it handles more than one) but I don't remember what the call I've seen was. I think there's also something similar on Windows, but I'm not positive. Also note that if you're capturing in promiscuous mode, you can get packets that your machine is neither the source nor an official destination for.
Nathan Barclay Teledyne Brown Engineering -----Original Message----- From: Guy Harris [mailto:[EMAIL PROTECTED]] Sent: Monday, July 29, 2002 1:16 AM To: max Cc: [EMAIL PROTECTED] Subject: Re: [tcpdump-workers] libpcap question On Sun, Jul 28, 2002 at 02:46:16PM -0700, max wrote: > When I capture a packet with libpcap, how can I tell if the packets is > incoming or outgoing? You can't necessarily do so; that information isn't available on all platforms, and, as you note, there's nothing in "pcap_pkthdr" to supply that information, so you can't get that from libpcap. > The struct which is returned with every captured packet, pcap_pkthdr, > does not contains this information. The stats structure, pcap_stat, > seems to do. On at least some platforms, the stats structure gets statistics from the OS; it doesn't count packets itself. I.e.: > Do I need to call the function which fills the stats struct for every > packet I capture ...there is no such function on many platforms. Even on platforms where the OS doesn't supply that information, and where the counts are maintained by libpcap, it doesn't make any distinction between incoming and outgoing for "ps_recv" (packets that are transmitted by the machine running the libpcap-based application are often supplied as input to the packet capture mechanism used by libpcap, so they show up as "received" packets). - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
