[getting back to an old issue as I was going through the issues mentioned]
On Thu, 4 Jan 2001, Guy Harris wrote:
> On Fri, Jan 05, 2001 at 12:32:27AM +0200, Pekka Savola wrote: > *
> 1) sniffing on all devices in that fashion is a Linuxism, and
> tcpdump isn't a "Linux application", it's a portable
> application one of whose supported platforms is Linux, and
> not all the other platforms support an unbound packet-capture
> device in that fashion - the way Torsten did it is better,
> you can, *on Linux*, capture on the "any" device, but the
> default behavior is still to capture on the default device;
This is good. But with such dumping, it's rather essential to get the
device name too.
> > 20:02:19.741408 eth0 > yyy.fi.ssh > zzz.fi.973: P
> > 132:928(796) ack 1 win 6432 (DF) [tos 0x10]
> >
> > -> would require a change in libpcap too?
>
> That's another Linuxism, using stuff from the "sockaddr_ll" address
> returned by a "recvfrom()" on a PF_PACKET socket.
Apparently most of these changes are already there if
HAVE_NETPACKET_PACKET_H. Libpcap just doesn't export the required stuff
to tcpdump-space.
> > -> interface name is really handy IMO!
>
> ...at least if you're capturing on all devices; if you're capturing on a
> specific device, it may not tell you anything you don't already know.
True. But there's still the type setting (multicast, broadcast, etc.)
that's interesting even then.
And if the dump data were to be saved to a file, there might be valid
reasons for storing the interface too because there would be no other way
to distinguish between two otherwise identical dumps done on two separate
interfaces.
This *might* even make sense on non-Linux platforms too -- just save the
name of the interface being dumped. This might create some overhead in
the capture file though.
> The problem is that the way it's implemented in Alexey's patches, the
> interface *index* is put into the per-packet savefile header;
> unfortunately, that index is
>
> 1) specific to the machine on which the capture is done
>
> and
>
> 2) specific to the *current* configuration of that machine
>
> so there's no guarantee that the interface names you get if you read a
> capture file on another machine are the actual interface names.
>
> Storing the interface names somewhere in the capture file would probably
> be better.
Wouldn't it be rather trivial to change it to interface name, as you said?
It'd appear that a lot of hooks for all of this are in place in
pcap-linux.c, but the interface between pcap and tcpdump is missing them.
Has anyone inclined to work on this?
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
