Finding the direction of captured packet

[Nida Afreen]

Hello,

I understand that pcap captures both the outgoing and incoming packets.

I have a scenario where after capturing the packet, I want to identify whether the packet is outgoing or incoming. Is there a way to identify this?

Please note that I don't want to use setdirection because it will block the packets. I want to capture all but be able to know the direction of flow.

Thanks in advance.

[PcapPlusPlus Support]

Hi Nida,

Yes, you can easily check if the packet is incoming or outgoing by checking either the source/dest MAC address, the source/dest IP address or the source/dest TCP/UDP port, depending on the protocols you're trying to identify.

This is assuming you know the source/destination of the machine your application is running on.

Please let me know if you have any other questions.

Thanks,

PcapPlusPlus maintainer

--
You received this message because you are subscribed to the Google Groups "PcapPlusPlus support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pcapplusplus-sup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pcapplusplus-support/64bae38c-e646-41ca-8c17-10de455ea2een%40googlegroups.com.

[Nida Afreen]

Hello,

Thank you for the reply. My application involves simulation of multiple packets, each with different IP/MAC addresses. In order to decide incoming or outgoing, it would require my application to compare each received packets with all the simulated MAC/IP addresses. So I was wondering if pcapplusplus offers an API to do this job?

Thanks,

Nida

[PcapPlusPlus Support]

Hi Nida,

It really depends on which protocols you're trying to test. For example, if you're capturing HTTP packets then there is a distinction between `HttpRequestLayer` and `HttpResponseLayer`; Or if you're capturing ARP packets you can see if the Op Code is a request or a response. But there is no generic way to identify incoming or outgoing packet for each protocol...

Thanks,

PcapPlusPlus maintainer

To view this discussion on the web visit https://groups.google.com/d/msgid/pcapplusplus-support/34775298-dfdf-4587-a3bc-db3e0abe299cn%40googlegroups.com.