[Winpcap-users] about 'localnet' keyword

[Guy Harris]

On Nov 2, 2011, at 2:07 PM, 임영빈 wrote:

> I'm using WinPcap in my application.
> I'd like to capture packets communicating with external hosts.(not local network hosts)
> So I tried 'not net localnet' filtering option, but I encountered syntax error.
> Does 'localnet' keyword(I'm not sure whether it is a keyword) work in WinPCap?

It's not a keyword, it's a name that gets looked up by getnetbyname() on systems that have getnetbyname().  Windows doesn't have it, so you can't use names for the "net" keyword with WinPcap.

> It seems that in libpcap it works.

It works *if* it's in /etc/networks, which it isn't on all systems:

	$ tcpdump -d -i en1 not net localnet
	tcpdump: unknown network 'localnet'
	$ sw_vers
	ProductName:	Mac OS X
	ProductVersion:	10.6.8
	BuildVersion:	10K549

However, that raises the question of what "the" local network is; if I were to plug the machine on which I ran those commands into an Ethernet, it would be connected to two networks (our Wi-Fi network and the Ethernet into which it was plugged), so, even if the system were to construct a "localnet" entry in /etc/networks on the fly, it would have to pick one of those.

What you might want to do is use pcap_lookupnet() to get an IPv4 address and netmask for the network to which the interface on which you're capturing is connected, and construct a filter expression string using those.  Perhaps libpcap/WinPcap should add filter syntax to support that (it already has "broadcast" to check for local net IP broadcasts, also using the IPv4 address and netmask).  The pcap-filter man page should also be updated not to speak of "localnet" as working.