问题
To get incoming packet from a pcap file. I set "inbound" filter in pcap_compile() and here is partial code.
pcap = pcap_open_offline("test.pcap", errbuf);
if (pcap == NULL)
{
fprintf(stderr, "error reading pcap file: %s\n", errbuf);
exit(1);
}
char filter_exp[] = "inbound";
struct bpf_program pgm;
if (pcap_compile(pcap, &pgm, filter_exp, 0, PCAP_NETMASK_UNKNOWN) == -1) {
printf("Bad filter - %s\n", pcap_geterr(pcap));
return 1;
}
if (pcap_setfilter(pcap, &pgm) == -1) {
printf("Error setting filter - %s\n", pcap_geterr(pcap));
return 1;
}
But here is error message.
Bad filter - inbound/outbound not supported on linktype 1 when reading savefiles
I just googled and found the possible solutions.
How to filter the inbound packet by libpcap in C:
The "inbound" filter is not available for the Ethernet link type (a cooked capture would have it eg.). Is it sufficient for your needs to filter on destination MAC or IP address ?
How to determine packet direction using libpcap:
The source or target IP address is sufficient. If the source is local, it's outbound. If the target is local, it's inbound. If neither, it's a promiscuous sniff.
Looks like the only way is to determine if the packet's target IP address is local or not. But how to know the local IP address from a pcap file?
回答1:
Barmar is right in that you can't know for sure if an IP address is local from your pcap file only. However, if you know the pcap wasn't captured on a promiscuous interface, you may try to guess the address of the interface.
You can either guess the IP or the Ethernet address. The Ethernet address is probably best since you may not have only IP packets in your pcap file. It may however be less clear which Ethernet address is your interface's because the gateway's address will also be in a large number of packets.
Guessing the interface's Ethernet address
$ tshark -r tmp.pcap -T fields -e eth.src -e eth.dst | grep -Po "(\w{2}:){5}\w{2}" | sort | uniq -c
11 01:00:5e:00:00:01
41 01:00:5e:00:00:fb
11 01:00:5e:00:00:fc
27 01:00:5e:7f:ff:fa
34 00:00:00:00:00:01
31 00:00:00:00:00:fb
11815 00:00:d9:97:5b:37
905 00:00:eb:12:48:d6
11115 00:00:b0:7b:ce:08
80 ff:ff:ff:ff:ff:ff
Each Ethernet address is displayed with the number of packets it's contained in (as source or destination). The Ethernet address with the largest number of packets is likely your interface's. The second largest one is likely the gateway's.
Packets with the interface's address as destination are inbound packets, and vice versa.
Guessing the interface's IP address
tshark -r tmp.pcap -T fields -e ip.src -e ip.dst ip | grep -Po "(\d+.){3}\d+" | sort | uniq -c
Same principle here, you should see one IP address with a large number of packets. That's likely your interface's.
来源:https://stackoverflow.com/questions/50884335/inbound-outbound-not-supported-on-linktype-1-when-reading-savefiles