libpcap - capture packets from all interfaces

3
votes

I need to capture packets from all network interfaces on Linux machine. In order to do it I'm planning to use pcap_open_live() API and pass "any" as a device argument.

I have different types of ports: Ethernet ports (say eth0) and GRE tunnels (say tun0) The packets that coming from different types of interfaces has different headers format:

  1. Packets from Ethernet port has MAC header
  2. Packets from tunnel coming with a Linux "cooked" capture encapsulation (16 bytes) header

How can I check into pcap_loop() callback handler what type of packet header I got?

1
linuxnetworkingnetwork-protocolspcaplibpcap

1 Answers

6
votes

All packets you receive get the same type of packet header; that's the type you get when you call pcap_datalink() on the pcap_t. The values that pcap_datalink() returns are the DLT_ values as shown in the Link-Layer Header Types page on the tcpdump.org site.

If you've opened the any device, pcap_datalink() will return DLT_LINUX_SLL, meaning that ALL packets you capture will have the "cooked" capture header - even the ones from eth0! You'd have to capture on eth0, rather than any, to get Ethernet headers for those packets.