On Apr 5, 2005, at 10:36 AM, Shyam Kumar wrote:
I am working on utilizing tcpdump for the way it presents data. As per
my Switch/Router I have my own implementation of ACL (Access Control
List) / Filter rule set & want to enhance its data representation part.
For that very purpose I need to utilize data representation part of
tcpdump.
I shall assume that by "data representation part" you mean the part that prints out the dissection of packets, e.g.:
14:14:00.963585 arp who-has random.host.com tell 192.9.200.1
(If not, ignore most of what I say below, and say what you *do* mean by "data representation part".)
I have tcpdump code & libpcap.a code.
As per my understanding so far, libpcap has Bison parser, lex analyzer &
BPF filtering mechanism.
Well, the parser can actually be generated by many versions of Yacc - it doesn't *need* Bison, but, yes, it has all of those.
It also has code to read and write capture files, and code to capture raw packets on a number of different operating systems, and to enumerate interfaces on which traffic can be captured.
I want to drop its filtering mechanism & utilize only data presentation
part.
One thing libpcap *doesn't* have is a data presentation part.
My queries are:-
[1] Data Representation is handled by tcpdump code only or both by tcpdump code & libpcap code??
tcpdump code only.
[2] which *.c & *.h files deals with data representation in tcpdump & libpcap code ??
Data representation is dealt with by all the files in the tcpdump source that have "print-" in their name, and all files containing code they call, which means that almost all, if not all, of the files in the tcpdump source have code that deals with data representation.
[3] Can the data representation part be easily segregated from parsing &
filtering mechanism??
They are, in a sense, already segregated - the code to parse filter expressions, and the code to generate from that parse a BPF filter program and to evaluate those filters (or to hand them to the kernel to evaluate) is in libpcap, and the code to print out the packets is in tcpdump.
The current CVS version of tcpdump has the initial work towards making a library out of the core of tcpdump, to allow other programs to use its data representation part, but I don't know whether it's complete enough for you to use without change.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
