On 24 jun 2011, at 11:10, Oguz Yilmaz wrote:
> Are there any pcap filter for selecting packets according to their
> direction. My solution was using "ether dst" or "ether src". hoıwever
> this depends on knowing MAC address of the interface. I want to ask
> whteter there is another way of selection of ingress and egresss
> packets seperately.
The pcap format does not provide means to store the direction of a packet (or the interface on which it was captured). So when using pcap files, you will have to filter by mac-addresses and/or IP addresses. This does however mean you have to know the topology of the network.
In pcap-ng, I think there is the possibility to store interface and direction information. But AFAIK this has not been implemented in Wireshark yet (pcap-ng support is slowly increasing in Wireshark).
Hope this helps,
Cheers,
Sake