tcpdump in freebsd

Thu Jul 26 09:25:57 UTC 2012

On Thu, Jul 26, 2012 at 08:35:29AM +0000, m s wrote:

> hi all. I want to use tcpdump just for input or just for outout
> packet.isthis possible ? if no is there any other command that do
> this?

If filtering by source MAC (or IP) is not enough, you can patch tcpdump
to hack in '-a in|out' using pcap_setdirection().

HTH,
Daniel
-------------- next part --------------
Index: contrib/tcpdump/tcpdump.1
===================================================================
RCS file: /home/ncvs/src/contrib/tcpdump/Attic/tcpdump.1,v
retrieving revision 1.19.2.1.8.1
diff -u -r1.19.2.1.8.1 tcpdump.1

--- contrib/tcpdump/tcpdump.1   3 Mar 2012 06:15:13 -0000       1.19.2.1.8.1
+++ contrib/tcpdump/tcpdump.1   26 Jul 2012 09:16:17 -0000
@@ -33,6 +33,12 @@
 [
 .B \-AdDefIKlLnNOpqRStuUvxX
 ] [
+.B \-a
+.I direction
+]
+.br
+.ti +8
+[
 .B \-B
 .I buffer_size
 ] [
@@ -194,6 +200,9 @@
 special privileges.
 .SH OPTIONS
 .TP
+.B \-a
+Print only packets matching \fIdirection\fP, \fBin\fP or \fBout\fP.
+.TP
 .B \-A
 Print each packet (minus its link level header) in ASCII.  Handy for
 capturing web pages.
Index: contrib/tcpdump/tcpdump.c
===================================================================
RCS file: /home/ncvs/src/contrib/tcpdump/tcpdump.c,v
retrieving revision 1.14.2.1.8.1
diff -u -r1.14.2.1.8.1 tcpdump.c
--- contrib/tcpdump/tcpdump.c   3 Mar 2012 06:15:13 -0000       1.14.2.1.8.1
+++ contrib/tcpdump/tcpdump.c   26 Jul 2012 09:03:27 -0000
@@ -295,6 +298,7 @@
 }

 static pcap_t *pd;
+static pcap_direction_t aflag = PCAP_D_INOUT;

 extern int optind;
 extern int opterr;
@@ -537,11 +541,16 @@

        opterr = 0;
        while (
-           (op = getopt(argc, argv, "aA" B_FLAG "c:C:d" D_FLAG "eE:fF:G:i:" I_FLAG "KlLm:M:nNOpqr:Rs:StT:u" U_FLAG "vw:W:xXy:Yz:Z:")) != -1)
+           (op = getopt(argc, argv, "a:A" B_FLAG "c:C:d" D_FLAG "eE:fF:G:i:" I_FLAG "KlLm:M:nNOpqr:Rs:StT:u" U_FLAG "vw:W:xXy:Yz:Z:")) != -1)
                switch (op) {

                case 'a':
-                       /* compatibility for old -a */
+                       if (!strcmp(optarg, "in"))
+                               aflag = PCAP_D_IN;
+                       else if (!strcmp(optarg, "out"))
+                               aflag = PCAP_D_OUT;
+                       else
+                               error("invalid direction %s", optarg);
                        break;

                case 'A':
@@ -1023,6 +1032,12 @@
                else if (*ebuf)
                        warning("%s", ebuf);
 #endif /* HAVE_PCAP_CREATE */
+               if (aflag != PCAP_D_INOUT) {
+                       status = pcap_setdirection(pd, aflag);
+                       if (status != 0)
+                               error("%s: pcap_setdirection failed: %s",
+                                   device, pcap_statustostr(status));
+               }
                /*
                 * Let user own process after socket has been opened.
                 */
