tcpdump mailing list archives
libPcap -- Dynamic Filters Question...
From: "Cuzens, Jarrod" <jcuzens () websense com>
Date: Thu, 6 Feb 2003 16:41:31 -0800
Hello! I am interested in using pcap to detect and track different protocols. Protocols such as FastTrack, Gnutella, etc. use ephemeral ports (nearly random src/dst ports) making it very difficult to define a filter for tracking these. I can basically define a filter that has a packet signature to detect things such as the beginning of a Gnutella session. For example I could use the following filter: tcp[20:4]=0x474e5554 which basically translates into: "pass this packet up if the first four bytes are GNUT". If this is the first packet that I have seen for a given srcIP:srcPort, dstIP:dstPort then this is the start of a Gnutella session. What I would like to be able to do is track this session by essentially adding a pcap filter (to a new instance of pcap) to monitor srcIP:srcPort and dstIP:dstPort for this new session (disregarding sequence numbers (I just need the naive case :) ) ) on the fly. This way pcap would now pass me up anything related to this session. Extending this idea a little further the original pcap instance would still detect new sessions and I would continue to add new rules to the session filter and remove them when either the session stales or I get a FIN. Basically, what I am trying to get at is that I would like to be able to dynamically add a remove rules from a filter on the fly. I have read a few documents about BPF+ that seem to indicate that this is the direction for BPF+ (although I have also read documents that state the contrary). Is there any functionality like this in libpcap? Thanks very much for any help! Jarrod
Current thread:
- libPcap -- Dynamic Filters Question... Cuzens, Jarrod (Feb 06)
- Re: libPcap -- Dynamic Filters Question... Guy Harris (Feb 06)
- Re: libPcap -- Dynamic Filters Question... Ryan Mooney (Feb 07)
- Re: libPcap -- Dynamic Filters Question... Guy Harris (Feb 07)
- Re: libPcap -- Dynamic Filters Question... Ryan Mooney (Feb 07)
- Re: libPcap -- Dynamic Filters Question... Guy Harris (Feb 06)