>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes:
>> I've submitted an IETF draft (I-D) that describes a
>> packet format for remote packet capture and I'd like to
>> get comments from this group. There are a number
>> of ideas in the draft, but the basic idea is to build
>> remote packet taps, but without the problems of RMON
>> packet capture or "port copy" schemes.
Guy> RMON supports a very limited sort of "packet filtering"; as I remember,
Guy> you can specify some number of offsets, masks, and values, so that only
Guy> packets where the data at the offset, when ANDed with the mask, equals
Guy> the value, will be captured.
Yes, but this gets screwed up sometimes with various options/extensions/etc.
Guy> It'd perhaps be niftier if you could, instead, send a BPF program to the
Guy> device, although if devices that do RMON do the packet filtering in
Guy> hardware, that could be tricky as they'd have to do BPF in software if
Guy> they didn't have hardware to do it.
It would be better if one sent a higher level (declative) expression to the device.
That way, if they do things in hardware, they can more easily map the
expression to their hardware.
If someone wants to pursue this, I suggest looking at the PIB or Policy WG
stuff for encoding ideas.
] Train travel features AC outlets with no take-off restrictions|gigabit is no[
] Michael Richardson, Solidum Systems Oh where, oh where has|problem with[
] [EMAIL PROTECTED] www.solidum.com the little fishy gone?|PAX.port 1100[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
