Hello!
I am interested in using pcap to detect and track different protocols. Protocols such as FastTrack, Gnutella, etc. use ephemeral ports (nearly random src/dst ports) making it very difficult to define a filter for tracking these. I can basically define a filter that has a packet signature to detect things such as the beginning of a Gnutella session. For example I could use the following filter: tcp[20:4]=0x474e5554 which basically translates into: "pass this packet up if the first four bytes are GNUT". If this is the first packet that I have seen for a given srcIP:srcPort, dstIP:dstPort then this is the start of a Gnutella session.
What I would like to be able to do is track this session by essentially adding a pcap filter (to a new instance of pcap) to monitor srcIP:srcPort and dstIP:dstPort for this new session (disregarding sequence numbers (I just need the naive case :) ) ) on the fly. This way pcap would now pass me up anything related to this session. Extending this idea a little further the original pcap instance would still detect new sessions and I would continue to add new rules to the session filter and remove them when either the session stales or I get a FIN.
Basically, what I am trying to get at is that I would like to be able to dynamically add a remove rules from a filter on the fly. I have read a few documents about BPF+ that seem to indicate that this is the direction for BPF+ (although I have also read documents that state the contrary). Is there any functionality like this in libpcap?
Thanks very much for any help!
Jarrod
