On Fri, Jan 12, 2001 at 02:51:20PM +1000, Robert Stuart wrote:
> Note I've CCed [EMAIL PROTECTED] for their info, as they are the writers of
> a piece of software called fwdumpd that uses pcap.
This isn't a patch, so it should have gone to "tcpdump-workers", not
"patches"; stuff sent to "patches" may sit there for a while before
people look at it, but stuff sent to "tcpdump-workers" at least shows up
in peoples' mailboxes.
> There is a useful little utility written for the Linux's firewall code
> which when a packet is selected will dump a copy of the packet (in pcap
> format) to file for later analysis. This will be very useful for me,
> but one of the drawbacks is that I can't see any place for storing the
> interface from which the packet is received. Because the file is in
> pcap format, it is easy for utils like ethereal/tcpdump etc to analyse
> the file. I'd rather not hack up each of those utilities to get them to
> support my custom mods to pcap_sf_pkthdr.
>
> I am suggestting a new field go in the save file struct for EACH packet
> indicating the interface name (eg eth0, plip0). I'm not sure how long
> they go, but perhaps 8 chars should be enough.
>
> struct pcap_sf_new_pkthdr {
> struct pcap_timeval ts; /* time stamp */
> bpf_u_int32 caplen; /* length of portion present */
> bpf_u_int32 len; /* length this packet (off wire) */
> char interface[8]; /* interface the packet is associated
> with */
> };
If you're capturing from multiple *different* network types, you'd need
more than the interface name for each packet, you'd need a packet
encapsulation type.
This would require, of course, a new libpcap file format, with a new
magic number, so libraries such as libpcap and Ethereal's Wiretap can
determine which particular flavor of libpcap file is being read.
It would *also* require changes to tcpdump to handle different packets
having different capture types; Ethereal already handles that, but
tcpdump doesn't currently do so.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
