[Winpcap-users] Can I capture inbound packets only?
Loris Degioanni
loris.degioanni at gmail.com
Wed Feb 15 00:52:20 GMT 2006
Guy Harris wrote:
>
> On Feb 14, 2006, at 3:52 PM, Loris Degioanni wrote:
>
>> Guy, can you explain me the semantic of pcap_setdirection()? When you
>> say that you only capture incoming packets, do you mean at the NIC
>> level (i.e. you only get the packets that the interface card receives)
>> or at the pcap adapter level (i.e. you don't get the packets that open
>> pcap adapter is transmitting)?
>
> pcap_setdirection(p, PCAP_D_IN);
>
> means "don't show me any of the traffic this host is transmitting on the
> adapter(s) on which I'm capturing traffic, regardless of whether they're
> being sent through {libpcap,WinPcap} or not.
>
>> The latter is implementable in winpcap, while the former requires
>> direction information that the Windows kernel, as far as I know, just
>> doesn't provide.
>
> I seem to remember some mail about some mechanisms (possibly
> undocumented) that work on some newer versions of Windows to implement
> this.
This was about not capturing the packets that the user sends on the pcap
interface (what I called "pcap adapter level" in my previous mail).
In the kernel, winpcap gets NDIS_PACKETS, which don't have any direction
information, so it's impossible to tell what's ingoing and what's outgoing.
Loris
> It is allowed for pcap_setdirection() to return -1 for any call, if the
> underlying platform doesn't support that particular request. It's even
> allowed for that to be dependent on the OS version, rather than on the
> general platform, so WinPcap could allow it on some versions of Windows
> and not allow it on others.
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
More information about the Winpcap-users
mailing list