Jesse Kempf wrote:
Hi,
So tcpdump tends to jam up the terminal a bit when you try to dump on
a saturated gigabit link. I've added a -P option to tcpdump that lets
you specify a probability for tcpdump to print each packet. It uses
drand48() to figure out whether each packet captured should be
printed. Obviously this isn't the same thing as saying "print every
Nth packet" since this is a Bernoulli process and the expected value
of the number of printed packets is different.
Also, I hacked up the print_packet function, so this only works for
parse and print mode.
Somebody, I can't remember who, has patches to bpf which push the
probability to the capture layer itself, rather than just the printing
routine. They were actively using this for NIDS stuff.
The thing which got in the way of adoption was a lack of versioning of
bpf capabilities IIRC. Not sure if this got solved or not.
later
BMS
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
