3

I'm developing a C application using libpcap. I can capture frames using this code that I developed:

void ethernetCaptureHandler( u_char *args, const struct pcap_pkthdr *packet_header, const u_char *packet_body)
{
    struct ether_header *eptr; 
    eptr = (struct ether_header *) packet_body;

    fprintf(stdout,"ethernet header source: %s\n"
        ,ether_ntoa((const struct ether_addr *)&eptr->ether_shost));
    fprintf(stdout," destination: %s\n"
        ,ether_ntoa((const struct ether_addr *)&eptr->ether_dhost));        
}

void *listenEthernetFrame(void *ehternetInterface){   //Thread Handler
    struct ether_header *eptr;
    char error_buffer[PCAP_ERRBUF_SIZE];
    pcap_t *handle;
    int timeout_limit = 10000; /* In milliseconds */
    char *ethernet = (char *)ehternetInterface;



    /* Open device for live capture */
    handle = pcap_open_live(
            ethernet,
        BUFSIZ,
        0,
        timeout_limit,
        error_buffer
    );
    if (handle == NULL) {
     fprintf(stderr, "Could not open device %s: %s\n", ethernet, error_buffer);
     return 2;
     }

    pcap_loop(handle, 0, ethernetCaptureHandler, NULL);
}

ethernetCaptureHandler function can listen to ethernet frames and as you can see I can get mac source and mac destination. The question is: is there a way to know if the frame is sent or received? (supposing that frame mac source and mac destination doesn't change from node to an other)

Else is there a way to capture just only received frames?

Kallel Omar
  • 1,208
  • 2
  • 17
  • 51
  • You need a filter, see http://www.tcpdump.org/manpages/pcap-filter.7.html. Looks like you need `ether dst ehost` – jwdonahue Oct 20 '17 at 18:06
  • @jwdonahue thank you for your comment. what I understand is that "ether dst ehost" compare between host mac address and destination mac address. But the problem is as I said mac destination and source addresses in the frame header doesn't change from a node to an other, because data link layer isn't intelligent and hasn't role of routing. So the mac addresses in the frame are sames specified by the first device that sent the frame regardless of intermediate nodes and devices. – Kallel Omar Oct 21 '17 at 08:42
  • 1
    Following @jwdonahue 's manpage link and a few clicks later: http://www.tcpdump.org/manpages/pcap_setdirection.3pcap.html – A.B Oct 21 '17 at 11:48
  • @A.B thank you. your suggestion saved me :) – Kallel Omar Oct 21 '17 at 14:14

0 Answers0