tcpdump mailing list archives
Re: libpcap
From: Guy Harris <gharris () sonic net>
Date: Mon, 4 Nov 2002 23:41:57 -0800
On Sat, Nov 02, 2002 at 01:23:22PM -0500, subramoni padmanabhan wrote:
Can anyone tell me if it is possible to create multiple PF_PACKET sockets to capture on the "any" device on the same machine?
I don't know whether you can, but I would assume you can. Try running two instances of tcpdump at the same time, both capturing on the "any" device, on your Linux box; if it succeeds, you can do it, because tcpdump uses libpcap, and libpcap uses PF_PACKET sockets (except on 2.0[.x] Linux kernels, but that's because 2.0[.x] Linux kernels don't support PF_PACKET sockets). (I assume you mean "can I have multiple PF_PACKET sockets, each of which is capturing on the 'any' device, on the same machine?", not, for example, "can I capture on all network interfaces by using multiple PF_PACKET sockets, each one of which is capturing on a different network interface" - the answer to the latter question is probably also "yes"; try running multiple instances of tcpdump, at the same time, each one capturing from a different interface, to test that.)
Or can multiple filters be attached to a single PF_PACKET socket to capture on "any" device.
Only one filter (in the sense of a filter set with "pcap_setfilter()") can be attached to a socket, regardless of whether the socket is bound to a particular network interface or not bound to a particular network interface (the way libpcap captures on the "any" device is that it creates a PF_PACKET/SOCK_DGRAM socket but doesn't bind it to a network interface). - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- libpcap subramoni padmanabhan (Nov 02)
- Re: libpcap Guy Harris (Nov 04)
- <Possible follow-ups>
- Re: Libpcap Michael Richardson (Nov 05)