[tcpdump-workers] libpcap picks up sent packets on freebsd (plus link state query)

Guy Harris guy at alum.mit.edu
Thu Jan 7 05:51:17 EST 2016

On Jan 7, 2016, at 2:20 AM, mate csaba <matecs at niif.hu> wrote:

> i'm developing a router (rtros.nop.hu) which uses libpcap to capture and send packets to interfaces.
> the interface handler can be found here: http://sources.nop.hu/src/zzz/nat-pcapInt.c
> it's an interface<---->udp socket converter tool: when a packet captured, it'll be sent
> to the udp, when a packet received from the udp, it'll be sent to the interface.
> it works fine on linux for years. now i've noticed that on debian/sid/kfreebsd,
> when i send a packet to the interface, it's get captured.
> could you give me hints how to avoid it in a platform independent manner?

If you limit yourself to platforms on which libpcap has the pcap_setdirection() function, try calling

	pcap_setdirection(ifacePcap, PCAP_D_IN);

before the

	printf("serving others\n");


(I'm a bit surprised that you're not seeing outgoing packets on Linux, though.)

> and a bonus feature request (?):
> could you please provide an api for interface up/down states?

An API to query the interface state?

Or a mechanism to get notified of interface state changes?

The first could probably be done fairly straightforwardly (but you obviously will only be able to use it if you have a newer version of libpcap).

The latter would involve more work, and might not be possible if the OS doesn't have a mechanism to deliver those events.  (Linux and OS X can, I think - Wireshark uses mechanism on those OSes to be notified when interfaces appear and disappear - but it'd take a bit of work to find out what mechanisms, if any, exist on various *BSDs, Solaris, Windows, etc..)

More information about the tcpdump-workers mailing list