[Winpcap-users] Can I capture inbound packets only?
Greg Watson
gwatson at stanford.edu
Tue Feb 14 22:52:22 GMT 2006
Here's a followup to my request posted Feb 10 2006.
I wanted to know if I could capture only inbound packets (no outbound
packets).
Well, one suggestion from Ben Greear was to use the PF_PACKET sockets on
linux. I haven't tried that one.
Here's what I did:
Since I am running on linux I open the "any" device which will allow me
to receive packets on any interface.
A side effect of this is that the interface type becomes DLT_LINUX_SLL,
which provides packets to you in a cooked format. So instead of getting
the raw packet you get a 16 byte header followed by the packet data
after the ethertype. One of the values in the cooked header is a value
that tells you whether you sent this packet or if it came from outside.
The downside to this is that you cannot tell which interface a packet
came in on (not a problem if you only have one).
-Greg
More information about the Winpcap-users
mailing list