4

I want to have a list of source IP addresses of an interface outbound traffic. How could I find the direction of a packet whether it's inbound or outbound reading traffic using libpcap? I don't know the subnet information of either side. And there are clients/servers on both sides, so I can't rely on port number ranges to filter traffic.

Why there is no information in libpcap packet header about direction, or filter option like inbound in pcap-filter?

Yasser
  • 376
  • 5
  • 13

4 Answers4

1

Netsniff-NG, while not relying on libpcap, supports Linux kernel packet type extensions. They're documented here

One of the packet types is outgoing and commented as "outgoing of any type". The following example will capture all packets leaving your interface. 

$ netsniff-ng --in eth0 --out outgoing.pcap --type outgoing

Using this you can utilize other command-line tools to read the PCAP file and pull out all the source addresses. Maybe something *nix-ey like this:

$ tcpdump -nnr outgoing.pcap  | cut -d " " -f3 | cut -d . -f1-4

Note: I haven't tried this on a router.

jonschipp
  • 781
  • 2
  • 9
  • 21
1

you could use "ether src" or "ether dst" to filter packet direction. This require you to know the mac address of the interface.

1

You can select a direction that packets will be capture calling pcap_setdirection() before pcap_loop().

For example, to capture incoming packets only you need to write:

handle = pcap_open_live("eth0", 65535, 1, 0, errbuf);
pcap_setdirection(handle, PCAP_D_IN);
pcap_loop(handle, -1, process_packet, NULL);

Possible directions are: PCAP_D_IN, PCAP_D_OUT, PCAP_D_INOUT.

See tcpdump.org/manpages/pcap_setdirection.3pcap.txt

Vitalii Blagodir
  • 939
  • 9
  • 7
0

The PCAP file format does not contain a field that holds the interface used during the capture. With that said, the newer PCAP-NG file format, currently used by Wireshark & Tshark, supports it along with packet direction.

Existing pcap-ng features:

  • packet dropped count
  • annotations (comments)
  • local IP address
  • interface & direction
  • hostname <-> IP address database

PcapNg

It sounds like you're capturing from a router or firewall so something like the following would not work.

ip src 192.168.1.1

Capturing the traffic into flows may be an option but it still will not provide you with direction information. Though, you will be able to determine the source and destinations address easily. If you have an existing pcap you can convert it to the ARGUS format:

argus -r capture.pcap -w capture.argus
ra -nnr capture.argus

Other tools, some w/ examples, that can easily obtain end-points/hosts are:

ntop -f capture.pcap
tcpprof -nr capture.pcap

Wireshark Endpoints

flow-tools

You'll have to parse out the information you want, but I don't think that's too much trouble. I recommend taking a look at PCAP-NG if you can't work with this.

jonschipp
  • 781
  • 2
  • 9
  • 21
  • 2
    pcap-ng *supports* it, to the extent that the file format has a place where the direction *can* be placed. However, that's "*can* be placed", not "*will* be placed", and, as libpcap/WinPcap currently don't provide that direction information in general, programs that use libpcap/WinPcap to capture, and that can write pcap-ng, such as Wireshark/TShark (and OS X Mountain Lion's tcpdump), don't have a direction indicator to put into the file, and thus don't put it into the file. I.e., pcap-ng is insufficient to solve the entire problem. –  Jan 22 '13 at 23:01
  • Thanks. So there is no way to capture traffic in pcap-ng format? I want to write a code in C using libpcap. Should I implement it by myself? Is it easy to add this feature to libpcap? I have some basic knowledge of C programming. Who knows the direction? The NIC driver? – Yasser Jan 23 '13 at 06:50
  • There's no way, using libpcap, to get the direction of captured packets. You can save captured packets in pcap or pcap-ng or any format for which you have or can use code to write out packets, but you can't put direction information out, because you don't have it. –  Jan 24 '13 at 01:09
  • You would have to add new interfaces to libpcap to get the direction information, as the current APIs do not have any mechanism to provide that information. That means it's *not* easy to add it. –  Jan 24 '13 at 01:14
  • The driver knows the direction, but libpcap doesn't talk directly to the driver; it talks to an OS-dependent capture mechanism to which the driver talks. Some of them supply direction information, some don't (`PF_PACKET` sockets on Linux do; BPF doesn't). –  Jan 24 '13 at 01:16
  • Thanks Guy. I found [here](http://www.mail-archive.com/tcpdump-workers@lists.tcpdump.org/msg01393.html) that libpcap has been already patched by adding a field to `pcap_pkthdr`. I am working on Linux and this is what I want, a temporary workaround. But the patch link is not available. Could you please give me some clue how I could find or write the same patch? – Yasser Jan 24 '13 at 06:48