inbound/outbound not supported on linktype 1

[asidorenko]

NPcap fails to compile bpf filter for inbound traffic with following error (on Intel(R) 82579LM Gigabit Network Connection):

inbound/outbound not supported on linktype 1

[dmiller-nmap]

This is a limitation of the-tcpdump-group/libpcap, which only implements inbound and outbound for Linux. In other words, the BPF filter you are using is not portable. Here is the code in libpcap showing that if linux is not defined, the error is hard-coded: https://github.com/the-tcpdump-group/libpcap/blob/master/gencode.c#L7676-L7702

[guyharris]

In order to make this work on a particular platform, the BPF engine - which is in the kernel on most platforms - would have to somehow support checking the direction of the packet.

Windows, by virtue of not shipping its own native packet capture mechanism, is actually in a better position in that regard than the UN*Xes that don't support it, because WinPcap/Npcap have to provide the in-kernel capture code; Npcap's driver could probably support special BPF tests in its in-kernel filtering code to check the packet direction, and we (the libpcap developers) could add support for that in the BPF code generator.