-Original Message-
From: m...@sandelman.ca [mailto:m...@sandelman.ca]
Sent: den 19 juni 2013 14:50
To: Anders Broman
Cc: tcpdump-workers@lists.tcpdump.org
Subject: Re: [tcpdump-workers] Request for new DLT
Anders Broman wrote:
Anders> Hi, Any chance of getting forward on this? I'm
How does PCAP handle running many rules? The current approach is to
open one PCAP interface per rule.
The end goal is to be able to run an live application with 1000's of
simultaneous rules.
The issue is that the current pcap_open_* interfaces are pretty
limited. I could open one pcap str
On Jun 19, 2013, at 10:44 AM, Alan DeKok wrote:
> However... I can't do this right now. There's pcap_open_live() for
> interfaces. There's pcap_open_offline() for files. There's no
> interface which says "here's a packet, run the rule against it".
$ man pcap_offline_filter
PCAP_OFFLINE_FILT
Guy Harris wrote:
> Older versions of libpcap don't have that,
Ah, that's why I couldn't find it.
> Fill in a "struct pcap_pkthdr" (the filter doesn't look at the time stamp;
> all it cares about is "caplen", which tells it how much packet data there is,
> and "len", which tells it what the l
