[Winpcap-users] Can I capture inbound packets only?

Guy Harris guy at alum.mit.edu
Wed Feb 15 01:33:21 GMT 2006


On Feb 14, 2006, at 4:52 PM, Loris Degioanni wrote:

> This was about not capturing the packets that the user sends on the  
> pcap interface (what I called "pcap adapter level" in my previous  
> mail).

I.e., that's all that the NDIS_FLAGS_DONT_LOOPBACK and  
NDIS_FLAGS_SKIP_LOOPBACK flags do - they can't prevent packets sent  
by, say, the IP protocol module from being looped back and supplied  
to WinPcap?  The page at

	http://www.ndis.com/papers/loopback.htm

suggest that they're flags you set on the packet as it's being sent,  
so that wouldn't help.

Do any of the NDIS packet filter settings suppress looped-back  
packets?  They might not work in promiscuous mode, but I suspect most  
of the people who don't want to see outgoing packets are arguably  
abusing libpcap/WinPcap as a tool for making protocol implementations  
rather than passive sniffers; in the past, I've suggested that  
perhaps there should be a *completely separate library* for people  
doing user-mode protocol implementations atop {BPF, DLPI, PF_PACKET  
sockets, NDIS, etc.), as that'd allow different features of at least  
some of those mechanisms (in particular, the ones such as DLPI and  
NDIS that were *NOT* primarily designed for packet sniffers) to be  
used, which might work better for those applications.



More information about the Winpcap-users mailing list