[tcpdump-workers] libpcap picks up sent packets on freebsd (plus link state query)

mate csaba matecs at niif.hu
Thu Jan 7 06:50:21 EST 2016


On 01/07/2016 11:51 AM, Guy Harris wrote:
> On Jan 7, 2016, at 2:20 AM, mate csaba <matecs at niif.hu> wrote:
>> i'm developing a router (rtros.nop.hu) which uses libpcap to capture and send packets to interfaces.
>> the interface handler can be found here: http://sources.nop.hu/src/zzz/nat-pcapInt.c
>> it's an interface<---->udp socket converter tool: when a packet captured, it'll be sent
>> to the udp, when a packet received from the udp, it'll be sent to the interface.
>> it works fine on linux for years. now i've noticed that on debian/sid/kfreebsd,
>> when i send a packet to the interface, it's get captured.
>> could you give me hints how to avoid it in a platform independent manner?
> If you limit yourself to platforms on which libpcap has the pcap_setdirection() function, try calling
> 	pcap_setdirection(ifacePcap, PCAP_D_IN);
> before the
> 	printf("serving others\n");
> call.
thanks for the hint, this solved my issue: now it works fine on both 
linux and kfreebsd.

> (I'm a bit surprised that you're not seeing outgoing packets on Linux, though.)
surely it worked fine without setdir, i'm testing regularly since linux 
2.6 times on debian/sid/{i386|amd64}...

>> and a bonus feature request (?):
>> could you please provide an api for interface up/down states?
> An API to query the interface state?
yess. a libpcap api which is a wrapper for SIOCGIFFLAGS & (IFF_RUNNING | 
IFF_UP) or similar....
it would be very elegant if i don't call ioctl at all from this pcap 
code.... i've other codes for linux
which uses raw sockets or zerocopy, they need to call ioctls, but pcap 
code really should not...

> Or a mechanism to get notified of interface state changes?
this one would be also nice if i would like to achieve interface down 
detection within some millisecs for fast routing protocol convergence...
(my side is ready for it so if you've plans here, i would be really 
happy to test out the results...)

> The first could probably be done fairly straightforwardly (but you obviously will only be able to use it if you have a newer version of libpcap).
so you mean that there's a function somewhere, like setdirection? could 
you point me to the right direction once again, please? :)

> The latter would involve more work, and might not be possible if the OS doesn't have a mechanism to deliver those events.  (Linux and OS X can, I think - Wireshark uses mechanism on those OSes to be notified when interfaces appear and disappear - but it'd take a bit of work to find out what mechanisms, if any, exist on various *BSDs, Solaris, Windows, etc..)
sounds interesting... if you implement interface down callback, i would 
appreciate it....
and if a platform can't do it, i still can query periodically the 
interface state with poll mechanism you mentioned above...


More information about the tcpdump-workers mailing list