Ethereal-dev: Re: [Ethereal-dev] Capturing from multiple interfaces, and why we need this.

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 1 Feb 2004 11:49:44 -0800
On Sun, Feb 01, 2004 at 10:24:36AM -0500, Brady Volpe wrote:
> Developing a generalized format in Ethereal that accepts one or more data
> streams from either memory or the PCI bus would enable applications such as
> DOCSIS sniffing to be more easily accomplished.  The ideal situation would
> be to use the existing ethereal display filters to function as capture
> filters.  In this case, WinPcap would be bypassed (or integrated) into
> Ethereal.

I really do *NOT* want Ethereal to have any direct capture code.  I
think that belongs in libpcap, so that applications *other* than
Ethereal can use it (I do *NOT* think Ethereal should be the one single
application for all tasks that involve packet capture).

Note also that Ethereal display filters are *not* cheap to implement - a
fair bit of computation, and maintenance of state, is involved in doing
full dissections, and a full dissection is necessary to implement
display filters.  The BPF capture filters that are used by libpcap are
much cheaper.