Expand a comment.

The inability to generally filter on incoming/outgoing packets except
for live captures in Linux isn't an inherent characteristic of libpcap,
it's a characteristic forced on us by the limitations of in-kernel BPF
filters on other platforms - remove that limitation, and we could
support it on those platforms as well.

diff --git a/gencode.c b/gencode.c
index b7a3b4e93c38875da4745a756574f293d522c63b..8444472db1966b091fc8237630245d0af0f1be88 100644 (file)
--- a/gencode.c
+++ b/gencode.c
@@ -7722,8 +7722,18 @@ gen_inbound(compiler_state_t *cstate, int dir)
        default:
                /*
                 * If we have packet meta-data indicating a direction,
-                * check it, otherwise give up as this link-layer type
-                * has nothing in the packet data.
+                * and that metadata can be checked by BPF code, check
+                * it.  Otherwise, give up, as this link-layer type has
+                * nothing in the packet data.
+                *
+                * Currently, the only platform where a BPF filter can
+                * check that metadata is Linux with the in-kernel
+                * BPF interpreter.  If other packet capture mechanisms
+                * and BPF filters also supported this, it would be
+                * nice.  It would be even better if they made that
+                * metadata available so that we could provide it
+                * with newer capture APIs, allowing it to be saved
+                * in pcapng files.
                 */
 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
                /*