[Winpcap-users] Can I capture inbound packets only?
Guy Harris
guy at alum.mit.edu
Wed Feb 15 00:04:10 GMT 2006
On Feb 14, 2006, at 3:52 PM, Loris Degioanni wrote:
> Guy, can you explain me the semantic of pcap_setdirection()? When
> you say that you only capture incoming packets, do you mean at the
> NIC level (i.e. you only get the packets that the interface card
> receives) or at the pcap adapter level (i.e. you don't get the
> packets that open pcap adapter is transmitting)?
pcap_setdirection(p, PCAP_D_IN);
means "don't show me any of the traffic this host is transmitting on
the adapter(s) on which I'm capturing traffic, regardless of whether
they're being sent through {libpcap,WinPcap} or not.
> The latter is implementable in winpcap, while the former requires
> direction information that the Windows kernel, as far as I know,
> just doesn't provide.
I seem to remember some mail about some mechanisms (possibly
undocumented) that work on some newer versions of Windows to
implement this.
It is allowed for pcap_setdirection() to return -1 for any call, if
the underlying platform doesn't support that particular request.
It's even allowed for that to be dependent on the OS version, rather
than on the general platform, so WinPcap could allow it on some
versions of Windows and not allow it on others.
More information about the Winpcap-users
mailing list