relation of pcap_setdirection and inbound/outbound filter qualifiers

[Sam Roberts <vieuxtech () gmail com>]

We'd like to distinguish between ethernet frames received on an
interface, and sent, and due to the nature of the traffic, we can't
rely on the addressing information in the packets.

Currently, we do this with an external tap, that generates seperate
pcaps for each direction. Works fine, but needs special hardware. We'd
rather just bridge through a multi-port linux server.

I note that libpcap has pcap_setdirection(), and someone tried to
introduce a -P flag to set it
(http://sourceforge.net/tracker/?func=detail&aid=2845468&group_id=53066&atid=469575).

Is that because the "host inbound"/"host outbound"  qualifiers in the
pcap-filter syntax do the same thing? They aren't very well described,
what do they mean for packets traversing a bridge setup using linux
ebtables?

And despite the dire warnings in the docs, is inbound and outbound,
pcap_setdirection supported with libpcap 0.8 and Linux >= 3.5?

Thanks,
Sam
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers