On Tue, Aug 06, 2002 at 01:19:38PM +0800, Huang Qian wrote:
> libpcap only use the IP address in the filter?
I didn't say that.
> I found Function " int
> pcap_lookupnet ( char *device, bpf_u_int32 *netp, bpf_u_int32 *maskp, char
> *errbuf)" includes the use of "localnet and mask", so for what they are
> used?
The network number and netmask returned by "pcap_lookupnet()" are for
IPv4, not IPv6.
The netmask is passed as an argument to "pcap_compile()". It is used
*only* by the "ip broadcast" operation in capture filters - a check for
an IPv4 broadcast address is done by ANDing the address with the
complement of the netmask (to find the host portion of the address) and
comparing it with a pattern of all 1's in those bits.
The netmask and network number are also used by tcpdump's "-f" flag:
-f Print `foreign' internet addresses numerically
rather than symbolically (this option is intended
to get around serious brain damage in Sun's yp
server -- usually it hangs forever translating non-
local internet numbers).
The definition of a "foreign" internet address is an address whose
network part isn't equal to the network part from "pcap_lookupnet()".
Ethereal doesn't use the network number at all, and only uses the
netmask as an argument to "pcap_compile()".
> whether their setting will influence the libpcap work?
The network number will not affect libpcap at all.
The netmask will only affect the way the "ip broadcast" operation in
capture filters works (and that's IPv4, not IPv6).
> capture online or read from a captured file, the two fields work the same
> way?
In Ethereal and Tethereal, libpcap is used *only* to capture online, so
the question you ask is meaningless for Ethereal.
In tcpdump, when you're reading from a capture file, the network number
and netmask are set to 0; they're only given real values if you're
capturing online.
