mac addr of the destination in linux cooked capture

Discussion:

Ankith Agarwal

2011-04-26 10:45:13 UTC

Hi
I am trying to capture incoming packets in all the interfaces using
pcap. I just wanted to know if there is a way of finding the interface(mac
address or name) from which the packet has arrived??

(As I am using the "any" interface, I am getting the linux cooked
capture header in the packet and this header only contains the source mac
address, but I wanted to know the destination mac address so that I can
compare it with the available interfaces' mac addresses and get the
interface from which the packet has arrived.)

Regards
Ankith

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Guy Harris

2011-04-26 17:09:20 UTC

Permalink

On Apr 26, 2011, at 3:45 AM, Ankith Agarwal wrote:

> I am trying to capture incoming packets in all the interfaces using
> pcap. I just wanted to know if there is a way of finding the interface(mac
> address or name) from which the packet has arrived??
>
> (As I am using the "any" interface, I am getting the linux cooked
> capture header in the packet and this header only contains the source mac
> address, but I wanted to know the destination mac address

Then you can't use the "any" interface, because, for a PF_PACKET/SOCK_DGRAM socket, which is what is used for the "any" interface, that information is not supplied - that's why the header for DLT_LINUX_SLL packets:

http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html

doesn't contain the destination address.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Ankith Agarwal

2011-04-27 03:48:42 UTC

Permalink

Hi
Thanks for the reply. One more thing, if I am particular in getting the
destination mac address, then is it better to run a pcap instance for each
of the interfaces of the system??

-> if yes, then is there a way to optimize multiple instances of
pcap??(because I have tried it, and multiple instances of pcap uses a lot
of cpu power)

Regards
Ankith

On Tue, Apr 26, 2011, Guy Harris <***@alum.mit.edu> said:

>
> On Apr 26, 2011, at 3:45 AM, Ankith Agarwal wrote:
>
>> I am trying to capture incoming packets in all the interfaces using
>> pcap. I just wanted to know if there is a way of finding the interface(mac
>> address or name) from which the packet has arrived??
>>
>> (As I am using the "any" interface, I am getting the linux cooked
>> capture header in the packet and this header only contains the source mac
>> address, but I wanted to know the destination mac address
>
> Then you can't use the "any" interface, because, for a PF_PACKET/SOCK_DGRAM socket, which is what is used for the "any" interface, that information is not supplied - that's why the header for DLT_LINUX_SLL packets:
>
> http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
>
> doesn't contain the destination address.-
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>

--

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Guy Harris

2011-04-27 04:10:33 UTC

Permalink

On Apr 26, 2011, at 8:48 PM, Ankith Agarwal wrote:

> Thanks for the reply. One more thing, if I am particular in getting the
> destination mac address, then is it better to run a pcap instance for each
> of the interfaces of the system??

For each of the *LAN* interfaces of the system. Not all interfaces, on all systems, *have* MAC addresses. You might have a PPP interface, for example.

What exactly is your program trying to do? It might make sense to open a PF_PACKET socket yourself, and get the interface index from the sockaddr_ll filled in by recvfrom()

http://www.kernel.org/doc/man-pages/online/pages/man7/packet.7.html

or supplied in the ring buffer with the memory-mapped interface.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Ankith Agarwal

2011-04-27 06:07:53 UTC

Permalink

On Wed, Apr 27, 2011, Guy Harris <***@alum.mit.edu> said:

> For each of the *LAN* interfaces of the system. Not all interfaces, on all systems, *have* MAC addresses. You might have a PPP interface, for example.
>
> What exactly is your program trying to do? It might make sense to open a PF_PACKET socket yourself, and get the interface index from the sockaddr_ll filled in by recvfrom()
>

I am writing a tool for analyzing voip calls remotely. The idea is to
run a pcap instance at the client side and forward all the packets to the
server, for QoS parameter calculation. I have made my own packet format
for forwarding the packets. For this purpose I need to know the interface
from which the rtp packets are arriving. I have taken the mac addresses of
all the LAN interfaces from sys filesystem, and the idea was to compare
this address with the obtained destination mac address of the packet, so
that the interface could be known. Is it feasible to do it this way or is
there any better way to achieve it??

Regards
Ankith

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.