Is there a way to capture inbound packets only? asked 12 May '16, 21:25  jagboy26 edited 13 May '16, 13:56  sindy |
One Answer:
If you capture at wired Ethernet, it is usually enough to use capture filter NB: the reason why I have changed your original title is that there is a bunch of other questions, all dealing with the reverse problem - "why I can only see inbound (or only outbound) packets?". So the reason why no one has answered you yet may be that your original title was a bit repellent. answered 13 May '16, 14:05 sindy |
Thanks Sindy. Even after putting the filter I see the packets. What I am trying to do is send packets using tcpreplay and monitor the same interface with dumpcap. What is see is that the packets which are being sent with tcpreplay is also captured on dumpcap, which is what I want to avoid. This is what my filter looks like: dumpcap -f "not ether src host 00:0a:f7:84:55:ec" -i eth4
Before reading further, please try to remove
hostfrom the filter expression and try again.If that doesn't help, I'm afraid that the reason why that capture filter doesn't work is that the pcap file you tcpreplay is not a recording of previous live traffic of your eth4 but has been taken somewhere else.
Tcpreplay replays the pcap as verbatim as possible unless you ask it to do otherwise, e.g. by rewriting the MAC address prior to replaying the frame which is probably not what you want. Therefore, I assume that the source MAC addresses of the sent frames do not match your eth4's one.
The physical direction of packets is not filterable because information about it is not part of the packet contents itself. Some space for information about packet direction is foreseen in pcapng format, which allows to augment the packet data with additional information and defines appropriate information fields which Wireshark understands. But to date no *pcap version I know provides these data, and thus does not extend the capture filter with the ability to filter on them.
So as it stands now, you'll have to use hardware to reach your goal. You may use:
an Ethernet tap which copies each transmission direction to a separate output, which you'd connect to another NIC of your machine,
a manageable switch which allows to mirror traffic on ports and can be configured to monitor only egress (outgoing) packets of a port. Again, you'd connect the monitoring port to another NIC of your machine.
Or, if you feel like that, you may want to modify libpcap to capture only incoming traffic.
One additional remark: if some of the MAC addresses which occur as source ones in the pcap you tcpreplay are active in the LAN to which you are connected while tcpreplaying, both the live traffic and your simulation will be affected heavily, as the switch will see the same source MAC address in packets coming in through two distinct ports.