On Apr 6, 2009, at 2:52 PM, Diego Valverde wrote:
Is there a way to specify 1 out of every N packets sampling using an
existing filter combination?
No. The filtering mechanism was created in order to filter based on
packet content, and that's all it supports checking.
if not where should I look into the code in order to extend the
filtering
functionally for my particular needs?
Nowhere - as indicated, the filtering mechanism checks only packet
contents.
I'm assuming the embedded device is running an operating system such
as Linux, so that packets have to be copied from kernel space to user
space (unless libpcap is using the memory-mapped access mechanism on
Linux or FreeBSD) to be delivered to libpcap.
If you don't care whether packets not being sampled are copied from
kernel space to user space (or if you're running on a version of Linux
or FreeBSD with a memory-mapped capture interface), you could just do
the sampling in the code that reads from libpcap.
If you do care, you'll have to implement the filtering in the kernel.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
