preventing libpcap to capture the packets injected with pcap_inject()

3
votes

currently thinking on a possibility to sniff at the same interface using only pcap and also inject the packets using pcap_inject.

The thing can be solved easily using either:

  • persistent checksum tracking /large slow map/,
  • checksum tracking - until all the data was injected, say, a first http request;
  • hacking bpf/libipq/Netfilter to carry additional parameter for each real PHY packet

But:

pcap listens eth0 /realworld situation is closer to "pcap listens and drops via source magic"/, pcap sends packet via eth0's handle so they can be routed out. What is the theorethical base for libpcap to not capture packets that were injected to same interface using same library - e.g, injected packets are not going through all Berkeley's packet filter code?

Practical test TBD.

2
code-injectionlibpcapspoofing

2 Answers

1
votes

Possibly just ignore packets with property skb->pkt_type == PACKET_OUTGOING in the receive path.

1
votes

Your question is hard to parse, but if I understand you correctly, you're looking for a way to capture packets that excludes the ones you are injecting. You can do this by using a capture filter that looks only at what is sent to the relevant interface on your machine...

ether dst aa:bb:cc:dd:ee:ff

... or that captures all except what is sent on the relevant interfance:

not ether src aa:bb:cc:dd:ee:ff

This will affect traffic from your machine other than what you are injecting, but if you capture and inject then you likely do not care about your own machine's packets anyway. If you need something more custom, it should not be hard to identify the packets you have just sent in the captured packets. (I suppose that's what you mean by checksumming, but I don't see an immediate table problem.)