[tcpdump-workers] Multiple interface listening modification
Hi All, I am using libpcap 1.7.3 version and I need to listen multiple interface by same user process call. I am planning to patch libpcap to be able to use a socket array which will be attached different interfaces. So I want to take your reviews about this modification should I design the modification at the direction of multiple socket or there is a more feasible method that I have not known yet. Thank you. Best regards, Tugrul ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Multiple interface listening modification
Thanks for your replies Michal and Guy, The main handicap is using libpcap based user space tools like tcpdump, tcpstat, tshark on my project. If I change Libpcap usages on that user level applications, I must leave the upstreams of that applications so I can not face leaving this much project's upstreams. For this reason I desired to adapt Libpcap which is dynamically linked in other user space tools that are mentioned in the previous sentence. I have defined an pcap_t->fd array and coded the multiple socket adaptation on Libpcap 1.7.3. It seems running successfully. I want to tanks you again for your helps. Best regards. Tugrul On Thu, Jun 4, 2015 at 7:38 PM, Guy Harris wrote: > > On Jun 4, 2015, at 12:37 AM, Michal Sekletar wrote: > > > Can't you just pcap_open more interfaces and for each pcap_t* you get > call pcap_fileno which will return back file descriptor for that capture. > Then you can use select/epoll to multiplex on those descriptors. > > Or, in newer versions of libpcap, call pcap_get_selectable_fd(), which, > for devices on which you can capture but on which you *can't* use > select()/poll()/epoll()/kqueues, returns -1. (Yes, they do exist; the DAG > card drivers don't support it.) > > BTW, that's also one problem with having a single pcap_t refer to multiple > devices - a lot of code out there expects a single descriptor on which it > can do select()/poll()/epoll()/kqueues, and you can't do that if a single > pcap_t refers to multiple devices. > ___ > tcpdump-workers mailing list > tcpdump-workers@lists.tcpdump.org > https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers > ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
[tcpdump-workers] Fwd: Tcpdump circular ring buffer modification
Hi All, I am using libpcap-1.7.3 version and tcpdump-4.1.1 version. I need to record traffic of an interface. So I am planning to use tcpdump with "-W 6 -G 10" parameters for the last one minute recording. But the tcpdump process exiting after recording sixth pcap file, whereas I need to an endless recording process of ringbuf by removing the oldest pcap file before each new pcap file to be able to limit the disk area of ring buffer. To solve this problem I can write a script and restart a new ring buffer recorder tcpdump at each minute after the current one exited; but on each restart attempt, process creating and waiting for record time cause to packet drops on ring buffer. So I have examined the exiting section of source code of the tcpdump on "tcpdump.c" file (where just below of "/* * Check to see if we've exceeded the Wflag (when * not using Cflag). */ " section.). Firstly I am planning to disable exiting code inside "Wflag" number files control. And secondly I am planning to keep "WFileName" file names on a circular queue structure which can store maksimum "Wflag" number strings at any time. I will use this older "WFileName" strings to be able to remember the oldest pcap file and so delete it from directory. When remove the oldest "WFileName" from directory I will remove it's name from the circular queue too. So I want to take your reviews about this modification should I do or not. Thank you. Best regards, Tugrul ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
[tcpdump-workers] Ringbuf pcap reading and "bogus savefile header" error
Hi all, I have a problem about reading circular ringbuf pcap records. There is a pcap file which stores last X seconds of packets. And with each X seconds of a period, a new pcap file is created. I can successfully read the initial pcap file for X seconds with "tail -n+o -F | tcpdump -r - -nn". But when the pcap file is rotated, the new pcap file causes to "bogus savefile header" from libpcap. I think that the new pcap file's header section is being tried to parse as packet data. How can I adapt the libpcap for my needs? I kindly want to take your opinions. Best regards, Tugrul, ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
