Ethereal-dev: Re: [Ethereal-dev] Stop capture trigger. RFC

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Dinesh G Dutt <ddutt@xxxxxxxxx>
Date: Wed, 25 Jun 2003 08:53:29 -0700
Hi Ronnie,

One problem that I have with your scheme is making it work for start capture
trigger seems ugly (maybe my brain isn't fully upto speed yet). I'd very much
like a scheme that supports both start and stop capture triggers. 

I'm willing to put in some time to help with the implementation.

Dinesh
Ronnie Sahlberg writes:
 > Hi list.
 > 
 > I have been thinking recently about functionality to add capability to
 > ethereal/tethereal to have a trigger that would stop a live capture.
 > These are my ideas, please comment.
 > 
 > First of all, implementing a stop capture trigger as a filter string in the
 > display filter language
 > is probably not practical since this would require [t]ethereal to do a full
 > decode of the packet
 > in order to evaluate the trigger filter and thus would be slow.
 > It would probably not be practical or realistic for use with high speed
 > captures.
 > 
 > What about this instead:
 > If a "stop capture trigger" is enabled in the capture dialog
 > [t]ethereal would create TWO capture sessions instead of as currently one.
 > The first capture handle would be for the real capture and would apply the
 > normal
 > capture filter and work as capturing does today.
 > The second capture handle would capture from the same network interface but
 > specify a different
 > capture filter string.  The stop capture trigger filter string.
 > 
 > All packets that are received by the first handle would work as today.
 > 
 > When the first packet is received on the second handle this would cause
 > [t]ethereal
 > to close the second handle and set a global variable to indicate that the
 > stop trigger has been
 > activated.
 > 
 > In the capture loop for the first capture handle,  the code sees that the
 > trigger condition has
 > occured and thus the stop capture sequence is initiated.
 > 
 > This should be combined with the code for "stop capture after ..." code but
 > when the
 > stop capture trigger feature is activated, these stop capture after... are
 > only ativated after
 > the trigger has occured.
 > 
 > 
 > 
 > I assume delivery from the os to the application for these two handles are
 > asynchronous and thus
 > we would not be able to stop the capture at exactly x packets/seconds/kb
 > after the trigger was
 > activated, but it might be close enough.   It would be better than nothing.
 > 
 > I do not know how this would affect capture performance.
 > Does opening TWO capture session from the same interface with two different
 > pcap filters mean that
 > CPU requirements increases by a factor of two?
 > 
 > Would this be feasible?   Guy?
 > 
 > 
 > If it is feasible, would anyone be interested in hacking up an
 > implementation of this?
 > 
 > 
 > _______________________________________________
 > Ethereal-dev mailing list
 > Ethereal-dev@xxxxxxxxxxxx
 > http://www.ethereal.com/mailman/listinfo/ethereal-dev

-- 
Much unhappiness results from our inability to remember the nice things that
happen to us. - W. N. Rieger