On Fri, Sep 06, 2002 at 03:11:20PM -0400, subramoni padmanabhan wrote: > I want to detect packets arriving at a router on any of its interfaces > using the pcap functions. I came to know that this can be achieved using the > "any" device in pcap_open_live.
If you're on a Linux system with a 2.2 or later kernel, that is. On other OSes, you can't use it. > But my question is, what do we use as the > device in pcap_lookupnet() which gives us the netmask of the > interface? You don't, because you can't. > We need to use this netmask in pcap_open_live(). You meant "we need to use this netmask in pcap_compile()"; there is no netmask argument to "pcap_open_live()". The *only* purpose the netmask argument to "pcap_compile()" serves is to provide a netmask for use with the "broadcast" primitive in capture filters - a check for an IP broadcast address is done by checking whether, for the address being checked, the bits not set in the netmask are all 1's. If your capture filter expression doesn't check for IP broadcasts, you can pass any value you want to as the netmask argument to "pcap_compile()", including 0x00000000, 0xFFFFFFFF, or 0xDEADBEEF, as the value won't be used. (If you're not using a capture filter expression at all, you're not even calling "pcap_compile()", so the netmask is irrelevant there as well.) > If I use "any" as the device > in pcap_lookupnet(), that means there will be a list of netmasks, one for > each interface. How can I achieve this? You can't, and, if you aren't doing checks for IP broadcast addresses in filter expressions, you don't need to. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
