Multiple pcap filters on interface

[Jim Mellander <jmellander () lbl gov>]

Hi:

I've working on a TCP connection-killer daemon that will receive
requests of the following type:

'kill all connections between host x & host y'

and craft response packets based on received packets.

Of course, it will have a mechanism for removing such requests from its
active list.

There are a number of programs (tcpkill, couic) which take pcap
expressions and send RST's in response to packets which match, but they
are too limited for my purposes - I'm trying to develop an
enterprise-capable tool.

I've thought of several mechanisms to program this:

1. A master pcap filter of 'tcp', which would hoist all tcp packets to
the user-level, then inspect IP's for match, either by direct packet
inspection or by compiled pcap expressions in userland - maybe zero-copy
bpf would help here.

2. Incrementally build a pcap filter 'tcp and ((host a and host b) or
(host c and host d))' ... etc. and apply to interface - my problem with
this approach is the limited number of host pairs this would be able to
accommodate.

3. Have a manager program which forks off as needed separate processes
to handle the requests individually.

All of the above are attempts to overcome the 'one filter per interface
per process' model that I believe libpcap imposes - or am I wrong?  Is
there something I've overlooked?

Any advice welcome - thanks in advance.

-- 
Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204

The reason you are having computer problems is:

Internet outage
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.