Michael Richardson wrote:
> I'm unclear if you want to run many rules (filter1 OR filter2 OR filter3) on
> a single interface, or you want to run many pcap filters on different
> interfaces.
One interface. 1000's of filter rules.
> I think that Guy's answer suggesting that your pcap library wa
I'm unclear if you want to run many rules (filter1 OR filter2 OR filter3) on
a single interface, or you want to run many pcap filters on different
interfaces.
> There's pcap_open_offline() for files. There's no
> interface which says "here's a packet, run the rule against it".
I think that Guy'
Guy Harris wrote:
> Older versions of libpcap don't have that,
Ah, that's why I couldn't find it.
> Fill in a "struct pcap_pkthdr" (the filter doesn't look at the time stamp;
> all it cares about is "caplen", which tells it how much packet data there is,
> and "len", which tells it what the l
On Jun 19, 2013, at 10:44 AM, Alan DeKok wrote:
> However... I can't do this right now. There's pcap_open_live() for
> interfaces. There's pcap_open_offline() for files. There's no
> interface which says "here's a packet, run the rule against it".
$ man pcap_offline_filter
PCAP_OFFLINE_FILT
How does PCAP handle running many rules? The current approach is to
open one PCAP interface per rule.
The end goal is to be able to run an live application with 1000's of
simultaneous rules.
The issue is that the current pcap_open_* interfaces are pretty
limited. I could open one pcap str
