Not sure whether it is necessary, or whether there is
somewhere later within DAT. But should we exclude some
iphdr->saddr or ethhdr->h_source addresses? For instance a
DHCPDISCOVER usually has a zero-ip address.
And speaking of DHCP, do you (or anyone else) know, whether a
dhcp-server (or its kernel) sends an ARP request before sending
a unicast DHCPOFFER? Or do dhcp-servers usually craft DHCPOFFERs
in userspace within their daemon including the ethernet header?
If the latter is the case, maybe we could/should dat-snoop the
ethernet+IP destination of such DHCPOFFERs in interface_rx(),