tcpdump mailing list archives
Re: Question regarding libpcap filters and sflow,
From: Guy Harris <guy () alum mit edu>
Date: Mon, 6 Apr 2009 16:46:38 -0700
On Apr 6, 2009, at 4:17 PM, Darren Reed wrote:
What you might be able to do is construct a filter that only matches Ipv4 packets that have an ipid field that is 0 in base 4.
...if the sampling rate is 4, so that 1 out of 4 packets are processed.Unfortunately, there's no "%" operator in the pcap filtering language (and no "modulo" instruction in the BPF pseudo-machine language), so non-power-of-2 sampling rates are harder.
That also works only if you're solely interested in IPv4 packets. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Question regarding libpcap filters and sflow, how to filter 1 out of every N packets. Diego Valverde (Apr 06)
- Re: Question regarding libpcap filters and sflow, how to filter 1 out of every N packets. Guy Harris (Apr 06)
- Re: Question regarding libpcap filters and sflow, how to filter 1 out of every N packets. Tyler Littlefield (Apr 06)
- Re: Question regarding libpcap filters and sflow, Diego Valverde (Apr 06)
- Re: Question regarding libpcap filters and sflow, Darren Reed (Apr 06)
- Re: Question regarding libpcap filters and sflow, Guy Harris (Apr 06)
- Re: Question regarding libpcap filters and sflow, how to filter 1 out of every N packets. Guy Harris (Apr 06)
- Re: Question regarding libpcap filters and sflow, Diego Valverde (Apr 06)
- Re: Question regarding libpcap filters and sflow, Guy Harris (Apr 07)
- Re: Question regarding libpcap filters and sflow, how to filter 1 out of every N packets. Guy Harris (Apr 06)