On Sep 9, 2008, at 7:02 PM, lei wei wrote:
I'm trying to capture packets from two network interfaces on FreeBSD
using
pcap. From what I read about,
a "-i any" can be used on Linux to capture from all interfaces. But
FreeBSD
doesnt seem to recognize it.
BPF devices, unlike Linux PF_PACKET sockets, requires that you bind
the BPF device to a network interface, in which case it only receives
packets from that interface. Thus, the mechanism that the "any"
device uses on Linux is not available on OSes using BPF, such as
FreeBSD (and NetBSD and OpenBSD and DragonFly BSD and Mac OS X and AIX).
(In addition, unlike Linux PF_PACKET sockets, BPF devices don't have a
way to supply "cooked" packets without link-layer headers, so, even if
you *could* have an unbound BPF device, there would have to be changes
made to BPF to handle capturing from multiple interfaces if they don't
all have the same link-layer header type.)
I wonder if there's a way to capture on multiple interfaces by
something
like link aggregation
except launching several capturing processes and merge&sort?
You can capture from multiple interfaces by opening multiple pcap_t's,
one for each interface, and having the main loop of your capture
program use select(), poll(), or kqueues to wait for packets to arrive
from any of the interfaces (use pcap_get_selectable_fd() to get an FD
on which to select from the pcap_t - if it fails, you can't use
select()/poll()/kqueues, but, for FreeBSD, it should only fail on
FreeBSD 4.3 and 4.4, where there are some BPF bugs that prevent
select() and poll() from working).
If a given FD is readable, find the corresponding pcap_t, and call
pcap_dispatch() on it to process the packets. Note that, while a
single call to pcap_dispatch() will deliver packets in time order (as
far as I know - this isn't Linux, so at least it's not *known* to
deliver them out of order :-)), but you'll have to merge the packets
from different interfaces yourself.
(Also, if you want your program to work on OSes other than
sufficiently recent versions of *BSD:
1) sufficiently old versions of *BSD don't handle the BPF timeout
correctly for select()/poll() - that might not be an issue, but...
2) *all* versions of Mac OS X don't handle the BPF timeout correctly
for select();
3) Mac OS X 10.4 and later don't support poll() or kqueues on any
character special files, including BPF devices.)
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
