Ethereal-users: Re: [Ethereal-users] Two packet intercept question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Wed, 10 Jan 2001 14:31:20 -0800 (PST)
> I actually do not need the packets re-assembled (easy perl problem),
> it would be sufficient if the capture filter could be set as a
> trigger, and then the trigger packet and N subsequent packets were
> dumped (in the sense of a hardware logic analyzer).

Such a mechanism could be put into various capture programs (tcpdump,
Ethereal/Tethereal) by compiling a trigger filter into BPF code with
"pcap_compile()" and then having the application run each packet it sees
through that filter by calling "bpf_filter()" on it.  The application
would start out discarding packets; when the first packet passed the
filter, it'd use that packet and then use all subsequent packets.

This means even the packets prior to the trigger packet would be copied
up to userland, so it would cost some extra CPU; in theory, the packet
capture mechanisms in various OSes could have such a trigger mechanism
added to them, so that packets aren't copied up to userland until the
trigger packet is seen.  This might call for the trigger mechanism to be
added to libpcap, so that it could transparently use such a mechanism if
present.