Ethereal-dev: Re: [tcpdump-workers] Re: [Ethereal-dev] Capture triggers

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Michael Richardson <mcr@xxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 02 Apr 2001 08:35:44 -0400
>>>>> "Guy" == Guy Harris <guy@xxxxxxxxxx> writes:
    >> It would be useful to be able to start the capture based on the presence of
    >> a certain packet or perhaps even a sequence of packets.

    Guy> Or, rather, given what current OS packet capture mechanisms support,
    Guy> "start saving captured packets to the capture file based on the presence
    Guy> of a certain packet or perhaps even a sequence of packets" - the
    Guy> checks

  i.e. have some kind of stateful packet filter.

    Guy> The "sequence of packets" part would require that the program provide a
    Guy> list of filters and the filtering mechanism arrange that starting at
    Guy> filter 1, if the packet passes filter N filter N+1 becomes the trigger
    Guy> filter, and if filter N is the last filter you start passing packets
    Guy> up. 

  Or, that each BPF program returns a number, which is the number of the BPF
filter in the list to switch to. Of course, people would then want some
values from the initial packet to be used as fields for subsequent filters. 

  (e.g. capture all packets in a TCP stream when the first one has .vbs
somewhere in the payload...)

  This rapidly devolves into a rather complicated problem if there is any
chance of multiple processors being used for performance reasons. Netboost
had a nice solution at up to 100Mb/s, but it had a big heat sink, and that
product line is now dead...
  
    Guy> This means the capture wouldn't start until the *last* packet in that
    Guy> sequence; to have it start with the first one, intervening packets would
    Guy> have to be buffered up and passed up to userland when the last filter
    Guy> succeeds (which could be tricky if there's a long gap between the

  They could be put into a circular buffer, with the entire buffer passed to
userland when the filter matches.

] Train travel features AC outlets with no take-off restrictions|gigabit is no[
]   Michael Richardson, Solidum Systems   Oh where, oh where has|problem  with[
]     mcr@xxxxxxxxxxx   www.solidum.com   the little fishy gone?|PAX.port 1100[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [