Michael Richardson wrote:
> I'm unclear if you want to run many rules (filter1 OR filter2 OR filter3) on
> a single interface, or you want to run many pcap filters on different
> interfaces.
One interface. 1000's of filter rules.
> I think that Guy's answer suggesting that your pcap library was old should
> satify, but you mention hardware, and the current interface is really about
> either using the kernel interface ("live") or from a file ("dead"), while
> I think you want an in-memory interface.
Largely, yes. The system we're using doesn't support 1000's of filter
rules in the kernel for one pcap_t. So we're stuck doing the work in
user space.
Alan DeKok.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
