Re: libpcap

[Guy Harris <gharris () sonic net>]

On Sat, Nov 02, 2002 at 01:23:22PM -0500, subramoni padmanabhan wrote:
>       Can anyone tell me if it is possible to create multiple PF_PACKET 
> sockets to capture on the "any" device on the same machine?

I don't know whether you can, but I would assume you can.  Try running
two instances of tcpdump at the same time, both capturing on the "any"
device, on your Linux box; if it succeeds, you can do it, because
tcpdump uses libpcap, and libpcap uses PF_PACKET sockets (except on
2.0[.x] Linux kernels, but that's because 2.0[.x] Linux kernels don't
support PF_PACKET sockets).

(I assume you mean "can I have multiple PF_PACKET sockets, each of which
is capturing on the 'any' device, on the same machine?", not, for
example, "can I capture on all network interfaces by using multiple
PF_PACKET sockets, each one of which is capturing on a different network
interface" - the answer to the latter question is probably also "yes";
try running multiple instances of tcpdump, at the same time, each one
capturing from a different interface, to test that.)

> Or can multiple 
> filters be attached to a single PF_PACKET socket to capture on "any" device. 

Only one filter (in the sense of a filter set with "pcap_setfilter()")
can be attached to a socket, regardless of whether the socket is bound
to a particular network interface or not bound to a particular network
interface (the way libpcap captures on the "any" device is that it
creates a PF_PACKET/SOCK_DGRAM socket but doesn't bind it to a network
interface).
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe