I once did a different approach, I made a patch to ipmon to write IP packets
to a file format that can be read by tcpdump. I even made to tcpdump so it
could read and print these files).
It works as that tcpdump can indeed read the file and decode the packets. I
got stuck however trying to find out how the pcap compiler should be changed
so you can apply tcpdump packet filter expressions on such a file, so you
can currently only dump the entire file.
Frank
> -----Original Message-----
> From: Michael Richardson [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, August 12, 2001 01:09
> To: [EMAIL PROTECTED]
> Subject: [tcpdump-workers] /dev/ipmon and libpcap format
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> recently, while debugging some IPF rules, I had a lot of difficulty.
>
> The some 3007 different IP addresses that were scanning me kind of
> made reading the log files hard. I began thinking about
> wanting an ipmon
> that had some more heuristics about what it logged.
>
> I was about to send a message to Darren saying that I was
> thinking of
> starting such a thing. Just as I typed in his email, I
> realized that such
> a thing would actually be interesting to run on pretty much
> any trace file.
> (Whether live or not)
>
> A /dev/ipmon that emitted in libpcap format would let one
> write such a
> program and use it for multiple purposes.
>
> So, my question is, where did people go with this?
>
> ] ON HUMILITY: to err is human. To moo, bovine.
> | firewalls [
> ] Michael Richardson, Sandelman Software Works, Ottawa, ON
> |net architect[
> ] [EMAIL PROTECTED]
http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");
[
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.5.6, an Emacs/PGP interface
iQCVAwUBO3W7GIqHRg3pndX9AQGoBwQA73R7NUYDfZsJQWeD8mjxp4TxofuTRq3X
dL/8+CP0pqm8UQBHFQFZ4eUpoTQMV71pu6uEY6WNPJsEO8rwHJn/rUraR8OroyTC
yJcKmcwyCumEoN1BbGhAvykrGh75gyHnzcVDppBVUYkVX74zsOZ7ERiSuZG/MnQh
6nNsnHFwcwM=
=iLpg
-----END PGP SIGNATURE-----
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use
mailto:[EMAIL PROTECTED]?body=unsubscribe
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
