Bruce Keats wrote:
I am thinking about adding a SHA1 signature to each of the packets captured
by TCPDUMP. I was poking around libpcap and I have some different ideas on
how to do. One way would be to create a new TCPDUMP magic number and then
change the packet header to include the SHA1. Another way would be to
create a new TCPDUMP magic number and put the SHA1 between the packet header
and the data. Another way would be to create a new DLT_ type for each of
the links I deal with and add the SHA1 somewhere within the data.
I would like to have wireshark still be able to look at the data. If
wireshark uses libpcap then everything should be hidden. Otherwise, I am
digging into the wireshark code as well.
Bruce,
I don't have much of an opinion on where to add it. In my application I
needed to detect the duplicate packets that some Cisco Cat6000 (?)
switches send on a spanning port. I tried various hashes like SHA1,
MD4/5, but they were too cpu intensive. I ended up using a simple
checksum. I only look at the last 4 packets in determining if the
received packet was a dupe.
http://en.wikipedia.org/wiki/Adler-32
Andy
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
