[Winpcap-users] Filter Problem
Deston High
mqx at low-axs.net
Sat Nov 26 23:20:58 GMT 2005
Guy Harris wrote:
> Deston High wrote:
>
>> hmm... thats a problem. the program i write shouldn't run only on
>> pc's which are use PPPOE. :(
>> Any workaround?
>
>
> 1) Download the WinPcap source, update its BPF compiler to the version
> in the current top-of-CVS-tree version of libpcap (which is not in any
> libpcap release or WinPcap release), compile the new WinPcap and
> replace wpcap.dll with the one you built, and then use
>
> pppoes and tcp and port 60000
>
> as the filter if you're interested only in traffic running over the
> PPPoE connection.
>
> 2) See if there's a PPP device on which you can capture, and try
> capturing on that rather than on the Ethernet on which that PPP device
> is running.
that would be a very good variant if it would only pppoe! but it isn't. :(
It should running on any protocol which running over ethernet (at least
most of them) or only ethernet (if on LAN).
Ok. I tell you what i try to do. I code a scanner. Which, atm, works
great (just the fact with my prob) and in order to get all the
additional header (like pppoe, etc) i copy them from a (fake)packet i
sent with rawsocket (winsock).
(it was the easiest way for me). Atm, the scanner is damn fast! ...big
thx to libpcap/winpcap!!!
With my workaround the coding style looks bad. And it is.
is it possible to use a filter like this: "pppoe or ether or xxx and tcp
and port 60000". should work, right?
>
>> Oh, i see 192.168.0.1 was indeed a bad example.. in the program it
>> isn't a LAN IP, it's the internet IP.
>> So lets say it's 123.123.123.123 and its is also the source IP. so
>> it's FROM. ("src host 123.123.123.123") ;-)
>> And, YES, i capture on ethernet.
>
>
> "On Ethernet" doesn't indicate whether the traffic is
> IP-directly-over-Ethernet or IP-over-PPP-over-Ethernet. Is the
> traffic you're capturing with the "src host" filter running on
> IP-directly-over-Ethernet or is it running on IP-over-PPP-over-Ethernet.
I capture on ethernet device (NIC) . so, for me it's definitive
IP-over-PPP-over-Ethernet.
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
>
More information about the Winpcap-users
mailing list