[Winpcap-users] PCAP_OPENFLAG_NOCAPTURE_LOCAL ignored and PCAP_SETDIRECTION()
Guy Harris
guy at alum.mit.edu
Thu Sep 29 07:39:24 UTC 2016
On Sep 28, 2016, at 9:23 PM, Daniel Smith <zamadatix at gmail.com> wrote:
> It looks like I just misinterpreted this piece of the documentation:
>
> "Defines if the local adapter will capture its own generated traffic.
> This flag tells the underlying capture driver to drop the packets that were sent by itself. This is usefult when building applications like bridges, that should ignore the traffic they just sent."
>
> But PCAP_OPENFLAG_NOCAPTURE_LOCAL doesn't do *quite* that, instead of being based on if the traffic was sent by the driver/local adapter it actually seems to be dependent on if it was sent by the exact pcap_open function that the device pointer holds.
"Itself" here means "the underlying capture driver"; if a packet was sent by the regular networking stack, that's *not* one of the packets that gets dropped - only packets sent by the capture driver, i.e. sent by a pcap call, count.
It may also be that it only detects packets sent by the same *instance* of the driver, so that it only filters out packets sent using the same pcap_t.
More information about the Winpcap-users
mailing list