Luis EG Ontanon wrote:
As far as triggers go a while ago I checked in trigcap.c.
Nice.
It's an experiment I wrote that works with capture filters as
start/stop triggers, I have not added it to the build process because
I do not know if it works on anything other than my mac.
it should not be difficult to mimic its mechanics in dumpcap.
It builds and runs on linux just fine.
it pcap_open_live()s a listener and a capturer (if a filter is given )
it then enters a loop pcap_dispatch()ing a listener_handler and a
capturer_handler
This monopolized the processor. See the patches I wrote against
trigcap.c attached to bug 2039 [1].
The main goal of the patches were to run a specified program or script
(eg tshark with a read filter) at the start event and another program
(eg killall tshark) at the stop event.
The patches are just PoC, but seem to work for me. Let me know what you
think...
thx,
Jason.
[1] - http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2039