CODEWITHSUNDEEP
clinuxnetwork-programminglibpcap
Fingolfin
Fingolfin

Reputation: 5533

pCap capturing outgoing packets

The question is, does pCap library allow capturing packets that are generated by the local system? something like the netfitler hook NF_IP_LOCAL_OUT but in user-space?
If pCap cannot support this, is there any well-supported library that can?

Looking on the web, some people mentioned that pCap has a function called setDirection which sets which traffic we're capturing according to traffic direction but many people said this function is only on Windows; and I am kinda limited in time to learn about pCap just to test if it can do what I need to do.

Upvotes: 2

Views: 3061

Answers (3)

user862787
user862787

Reputation:

The question is, does pCap library allow capturing packets that are generated by the local system?

Yes. In fact, it captures them by default. You can, in newer versions of libpcap, disable that by calling pcap_setdirection(), but, by default, it captures both incoming and outgoing packets on the interface on which you're capturing. pcap_setdirection() exists in newer versions of WinPcap, but it just returns an error; there's a flag for the WinPcap-only pcap_open() that lets you disable capturing outgoing packets.

Upvotes: 3

Sunil Bojanapally
Sunil Bojanapally

Reputation: 12658

Also dumpcap -i < capture interface> captures the live traffic,

Dumpcap is a network traffic dump tool. It lets you capture packet data from a live network and write the packets to a file. Dumpcap's native capture file format is libpcap format, which is also the format used by Wireshark, tcpdump and various other tools.

Upvotes: 0

Mats Petersson
Mats Petersson

Reputation: 129314

I've certainly use tcpdump (on linux) to capture traffic on local interface and originating from the own machine. Since tcpdump uses libpcap, this must be possible.

I'm afraid this is a rather rubbish answer, because I can't tell you exactly HOW to configure libpcap to capture your local packets. However, I would suggest that tcpdump is a good starting point - either by simply using tcpdump itself, or look at the code [which is probably quite large and complex, of course, but if you can figure out what settings you need to make tcpdump do what you want, then you can perhaps add some code to tcpdump to print the settings it uses for the same thing].

Again, slight apology for not "giving you the code".

Upvotes: 1

Related Questions