Ethereal-users: RE: [Ethereal-users] stop capturing on condition

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "McNutt, Justin M." <McNuttJ@xxxxxxxxxxxx>
Date: Thu, 11 Sep 2003 12:54:54 -0500
If you can get your capture filter set correctly, you could just write a script that does something like this:

---- WatchForTCN.pl ----
#!/usr/bin/perl

# Start the capture and put it in the background.
system("/usr/bin/tethereal -n -w capture.file.pcap (ring buffer args) 1>/dev/null 2>/dev/null &");

# Start another capture to watch for the TCN BPDUs.
system("/usr/bin/tethereal -c 1 -n '<filter for TCN BPDUs>' 1>/dev/null 2>/dev/null");

# This only runs if the second capture exits, which should only be when a TCN BPDU is encountered.
system("<script to kill -TERM PID of first tethereal process>");

exit;


There's a way to extract the PID from the first system(); command, I think, so the third system command might be as easy as 'kill -TERM $pid'.

Spanning Tree is supported by tcpdump, so your capture filter would be this:

stp and ether[15] & 1 = 1

('stp' captures only Spanning Tree, ether[15] is the offset of the BPDU flags, & 1 does a bitwise and with the first flag (the TCN flag), and = 1 checks for the value you want.

So figure out how to get $pid set to something useful and you're there.

--J

> -----Original Message-----
> From: Michael Hüttig [mailto:Michael.Huettig@xxxxxxxxxxxxxxxxxxxxxxx]
> Sent: Tuesday, August 26, 2003 3:48 AM
> To: ethereal-users@xxxxxxxxxxxx
> Subject: [Ethereal-users] stop capturing on condition
> 
> 
> Hi all,
> is it possible, to stop capturing after a condition?
> 
> We'r having some problems with switches, which reboot 
> sometimes, so i want to
> capture in a ringbuffer and after sending out bpdu-packets with
> topology-change-flag i want to stop capturing for further analysis of
> traffic, which causes switch-reboot.
> --
> thanks for your help
> 
> Michael
> 
> 
> 
> **********************************************************************
> Diese E-Mail wurde auf Viren ueberprueft.
> www.mimesweeper.com
> **********************************************************************
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>