A new filter "ifindex" for LINUX_SLL2 and live Linux captures #829
Conversation
|
As a user, I’d rather be able to filter by interface name like in some BSD's but in and out. Something like Way to have 'eth0' -> 'ifindex N' to build a filter? See https://www.tcpdump.org/manpages/pcap-filter.7.html: "ifname interface |
You can't do this on a savefile since the interface name is not stored in the savefile. ifindex works in both live captures and savefile mode, even if it's less friendly. Reworking the grammar so that "ifname" is not PF-specific is on my to-do list, but that'd be a different pull request. |
And even if you were on the same machine, the ifindex can change after interfaces come/go, or after a reboot. This is a case where pcapng would be better. |
|
I suggest to rebase this PR on top of master. |
|
Looks like 8c263fd introduced problems with the FreeBSD build. |
gencode.c
Outdated
| b0 = gen_cmp(cstate, OR_LINKHDR, 4, BPF_W, ifindex); | ||
| break; | ||
| default: | ||
| #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) |
There was a problem hiding this comment.
At this point, if we're building for Linux and neither PF_PACKET nor SO_ATTACH_FILTER are defined, libpcap won't build - we require a newer kernel - so it's sufficient to test whether linux is defined.
There was a problem hiding this comment.
Sure, I first posted this way before bfbe856 . Thanks for pointing this out.
Create a filter for the ifIndex field in the LINUX_SLL2 pcap format, and convert it to the right SKF_AD_ value for live captures.