On Wed, Jun 04, 2003 at 12:46:28AM -0700, Ben Greear wrote: > Is there any fool-proof way to determine if a packet > was coming into the interface v/s going out the interface > when looking at a libpcap dump file?
No. It is not always the case that the packet capture mechanism used by libpcap even supplies that information; the libpcap capture file format thus doesn't include that information. On an interface where there are no link-layer addresses, you're completely out of luck in that case, unless the machine is doing no routing and you can thus look at the network-layer address (and even then it works only for packets that *have* network-layer addresses). On an interface where there are link-layer addresses, you can try to determine whether a packet is incoming or outgoing by seeing whether the link-layer address is that of the interface or not. I don't know whether that's guaranteed or not. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
