On Nov 2, 2011, at 2:07 PM, 임영빈 wrote:
> I'm using WinPcap in my application.
> I'd like to capture packets communicating with external hosts.(not local
> network hosts)
> So I tried 'not net localnet' filtering option, but I encountered syntax
> error.
> Does 'localnet' keyword(I'm not sure whether it is a keyword) work in WinPCap?
It's not a keyword, it's a name that gets looked up by getnetbyname() on
systems that have getnetbyname(). Windows doesn't have it, so you can't use
names for the "net" keyword with WinPcap.
> It seems that in libpcap it works.
It works *if* it's in /etc/networks, which it isn't on all systems:
$ tcpdump -d -i en1 not net localnet
tcpdump: unknown network 'localnet'
$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.6.8
BuildVersion: 10K549
However, that raises the question of what "the" local network is; if I were to
plug the machine on which I ran those commands into an Ethernet, it would be
connected to two networks (our Wi-Fi network and the Ethernet into which it was
plugged), so, even if the system were to construct a "localnet" entry in
/etc/networks on the fly, it would have to pick one of those.
What you might want to do is use pcap_lookupnet() to get an IPv4 address and
netmask for the network to which the interface on which you're capturing is
connected, and construct a filter expression string using those. Perhaps
libpcap/WinPcap should add filter syntax to support that (it already has
"broadcast" to check for local net IP broadcasts, also using the IPv4 address
and netmask). The pcap-filter man page should also be updated not to speak of
"localnet" as working.
_______________________________________________
Winpcap-users mailing list
[email protected]
https://www.winpcap.org/mailman/listinfo/winpcap-users
