From mboxrd@z Thu Jan  1 00:00:00 1970
From: Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: nfqueue ethernet packet frame capture
Date: Wed, 17 Mar 2021 16:54:14 +0100
Message-ID: <20210317155414.GA1197@salvia>
References: <CADtAAp7ReZoa1kLSm4oc7um9-vQ_XUnq9t80mN4T8igZQjyxUA@mail.gmail.com>
 <20210317143713.GA3781@salvia>
 <CADtAAp7Da8BtAK2zvhnT-RTG1myzbZ6k0xZgmifhsuYLAukDCQ@mail.gmail.com>
 <20210317155251.GA1140@salvia>
 <20210317155309.GB1140@salvia>
Mime-Version: 1.0
Return-path: <netfilter-owner@vger.kernel.org>
Content-Disposition: inline
In-Reply-To: <20210317155309.GB1140@salvia>
List-ID: <netfilter.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: ilker <ilkery@gmail.com>
Cc: netfilter@vger.kernel.org

On Wed, Mar 17, 2021 at 04:53:09PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Mar 17, 2021 at 05:41:53PM +0300, ilker wrote:
> > it only gives the source MAC address:(
> > I need the destination MAC address.. I will use
> > src_mac+dst_mac+ethertype and reconstruct the full ETH header.
> > I tried
> > nfq_get_physindev_name
> > nfq_get_physoutdev_name
> > nfq_get_indev_name
> > nfq_get_outdev_name
> > 
> > but neither of them gave me a MAC.
> > A libpcap fanboy said that netfilter can not and libpcap can give.. I
> > don't want to convert my code to pcap that is why I am looking for a
> > solution.
> 
> nfq_get_indev_name provides the input device. From userspace, you can
> retrieve the destination MAC from the indev. The ethernet protocol is
> coming in the ->hw_protocol field.

I'm assuming your setup is a router, then destination MAC can be
infered.