Ethereal-dev: Re: [Ethereal-dev] Stop capture trigger. RFC

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 25 Jun 2003 09:48:45 -0700

On Wednesday, June 25, 2003, at 2:36AM, Ronnie Sahlberg wrote:


What about this instead:
If a "stop capture trigger" is enabled in the capture dialog
[t]ethereal would create TWO capture sessions instead of as currently one. The first capture handle would be for the real capture and would apply the 
normal
capture filter and work as capturing does today.
The second capture handle would capture from the same network interface but 
specify a different
capture filter string.  The stop capture trigger filter string.
Or you could just do it with one capture session, by compiling the stop trigger into BPF and running "bpf_filter()" on the incoming packets, and stopping the capture when one matches.
("bpf_filter()" isn't a documented routine in libpcap, but if somebody has a version of libpcap that doesn't export it, the person who unexported it probably wasn't thinking deeply enough; I don't know of any such versions, and I should probably just update the libpcap man page to document it so that people aren't tempted to unexport it.)