Is there any reason this patch hasn't been looked at yet? I've fixed the patch to apply to latest libpcap source (1.0.0-2), find attached.
I'd find this a massively useful feature; often the direction matters. E.g. to watch traffic relating to a local ssh server, ignoring local ssh clients: tcpdump inbound tcp dest port 22 or outbound tcp src port 22 Without inbound/outbound support, it is impossible. While we're at it, also it would be useful to have some selection on the interface name when doing -i any. E.g. to watch what happens to traffic being forwarded eth0 -> eth1: tcpdump -i any inbound iface eth0 or outbound iface eth1 Though admittedly this one would require more printing of details on the output (namely, the direction and interface); I'd want to see something like: 17:09:22.021483 IN eth0 IP 192.168.2.1.domain > 192.168.2.221.56936: 24709 NXDomain 0/1/0 (97) 17:09:22.021504 OUT eth1 IP 192.168.2.1.domain > 192.168.2.221.56936: 24709 NXDomain 0/1/0 (97) which then becomes a bug also for tcpdump. But the low levels of this are pcap's domain, at least. Having looked over the LINUX_SLL link type I don't think it's possible there, as pcap throws away the sll_pkttype and sll_ifindex fields. Perhaps this would require a new LINUX_SLL2 link type? I'd be happy to code this one up... -- Paul "LeoNerd" Evans [email protected] ICQ# 4135350 | Registered Linux# 179460 http://www.leonerd.org.uk/
--- gencode.c 2009-06-30 17:23:17.625545480 +0100
+++ gencode.c 2009-06-30 17:18:53.000000000 +0100
@@ -7243,6 +7243,19 @@
* Only some data link types support inbound/outbound qualifiers.
*/
switch (linktype) {
+ case DLT_EN10MB:
+ /* ethernet flags (including direction) are stored
+ * the byte after the 3-byte magic number */
+ if (dir) {
+ /* match outgoing packets */
+ b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
+ } else {
+ /* incoming packets */
+ b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
+ }
+
+ break;
+
case DLT_SLIP:
b0 = gen_relation(BPF_JEQ,
gen_load(Q_LINK, gen_loadi(0), 1),
signature.asc
Description: Digital signature
