libpcap

[Lev Walkin]

Andrew Konstantinov wrote:
> Hello,
> 
> I am writing a program which takes advantage of libpcap but I've run into
> several problems with it: 1) Is there any way how I can specify in the
> filter description that it should match only incoming packets on some
> interface? inbound/outbound keywords work only for 'slip' (according to
> tcpdump man page). I could do that with 'not src host' and then put the
> local hostname after that, but is there a more general solution, without
> the need for local hostname or ip address?

No, there isn't. Please study the bpf manual page to find out what
capabilities libpcap could export to its user, because libpcap uses
bpf device on FreeBSD.

> 2) I can't figure out how to
> setup a filter so it could match several ports at once. For example, I
> want the filter to only match 21-25 and 113 ports for incoming traffic.
> How do I do that? Right know I can see only two solutions. I could simply
> sniff all the traffic, and then filter out the interesting ports by
> myself, or I could setup several filters each of which would be
> responsible for a specific port. But both solutions seem to be
> inefficient. Is there a better way to accomplish this? Any help will be
> greatly appriciated.

"port 21 or ... or port 25 or port 113"


-- 
Lev Walkin
vlm at netli.com