On Wed, Mar 17, 2021 at 08:49:18PM +0300, ilker wrote: > What i get from indev from a sample capture are as follows; > indev_name = * > outdev_name = wlan0 > physindev_name = * > physoutdev_name = * I see, so you'd like to catch the packet from the output path. > nfq_get_physindev_name returns device name on my host. I can retrieve > wlan0 mac but this would be the MAC address on my host. (I am testing > my application on PC for now but the target is a router as you said) > > What I am looking for is a destination MAC address. e.g. when I > capture the network on the same host via libpcap, I get following dump > 17:29:34.575912 AA:AA:AA:AA:AA:AA > BB:BB:BB:BB:BB:BB, ethertype IPv4 > (0x0800), length 1197: (tos 0x0, ttl 57, id 37046, offset 0, flags > [DF], proto TCP (6), length 1183) > > where AA:AA:AA:AA:AA:AA is the gateway_MAC_address that my PC > connected and BB:BB:BB:BB:BB:BB is the wlan_interface_mac of my PC. > My aim is to capture my gateway mac address (AA:AA:AA:AA:AA:AA) as a > destination MAC from my PC via NFQUEUE. (like tcpdump example) > > Is that possible? The problem is that the MAC address is not yet know from the output path (postrouting hook) since it comes before the neighbour layer. So the MAC address is not yet know. You could catch the packet via nfqueue and then send a query to obtain the destination MAC address by the IP destination through rtnetlink (neighbour cache lookup from userspace). An alternative would be to have netfilter egress hook (layer 2 MAC information is already available from there) and add nfqueue support too, but that's not available upstream.
