Re: using a database to store packets

[Ed Maste <emaste () phaedrus sandvine ca>]

> > It's possible, but tcpdump itself can't do it.  You could, for example, 
> > write your own program to do so, reading a capture file from the 
> > standard input (use libpcap, and open the file named "-" with 
> > "pcap_open_offline()", to read from the standard input), and pipe 
> > tcpdump's output to it (with "-w -").
>
> No, I'm proposing to change tcpdump to store packets using a database system
> like SQL or Berkeley DB, nor storing there already captured data.

Your program wouldn't be processing old captured data.  You have tcpdump
output libpcap format data to stdout, in realtime.  Then you pipe this to
your new tool, which writes to the database.  You don't need to change
tcpdump at all.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.