> My proposal would be to introduce a magic string (like remote://1234), > that makes libpcap listen on UDP port 1234. The remote capture > application can "connect" and send the data in libpcap format. Because > UDP is connectionless, I might add some special logic for the file > header. As a result, it should be trival to capture on several remote > systems and combine the trace. > > Any ideas? Is libpcap the right place for this? Is the feature of > general interest? And are there explicite condition before the code > would be accepted?
I was actually discussing something similar to this just last night. I'd advocate swapping the client/server directions -- and probably, if not always using, at least supporting TCP. I see it more as setting up a remote capture system and then having a bunch of clients connect to it. I think this is an important distinction, since otherwise you have to keep restarting the remote agent every time you add a new client (bad), or you have to set up some sort of listener on that end and ping it with a UDP magic frame to start it sending (sort of annoying). If you do UDP you'll also have to set up a channel/detector to say "i'm not listening anyore". (or more completely, once a second, "I'm still listening"). My thought was a TCP server on the remote capture system (or in my case, the local capture system too. Running it through localhost is a good way to get realtime data out of a packet capture/mangler system into other tools on localhost) which had a frame protocol. First frame on connection, protocol version and pcap link encap. The rest of the frames, pcap packet per frame with a frame header of the same data as the pcap struct -- length, timestamp, etc. TCP also has the bonus of being easily tunnelable over ssh/ssl/foo -- no good at all for high bandwidth apps, but really good for low-bandwidth remote captures of, say, wireless. libpcap presents a select()able fd already, so we'd only have to write a tcp client w/ a ring buffer and patch pcap_dispatch, I believe. I've got code that does almost this already, however its in C++ so it would need to be converted to straight C, not a huge problem. -m -- "We're sorry, Susy won't be attending classes for the rest of this academic year. She caught the measles, and we had her shot."
pgpu57yVWK2vY.pgp
Description: PGP signature
