On the Ethereal list, there was a discussion how to do live tracing on a remote host. The obvious solution is to have a remote program that captures and sends the data via a network connection to the local host, where Ethereal can analyse the data.
The question is whether this feature should be implemented in libpcap, so that other applications (such as tcpdump) can also use it. Winpcap already has such a feature called rpcap (including a remote application for UNIX), but it is still marked as experimental, and I couldn't find any detailed documentation on it. My proposal would be to introduce a magic string (like remote://1234), that makes libpcap listen on UDP port 1234. The remote capture application can "connect" and send the data in libpcap format. Because UDP is connectionless, I might add some special logic for the file header. As a result, it should be trival to capture on several remote systems and combine the trace. Any ideas? Is libpcap the right place for this? Is the feature of general interest? And are there explicite condition before the code would be accepted? (Unfortunately I don't really have much time for this, only a day or two, which is the main reason that I want to keep it is as simple as possible.) Thomas - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
