libPcap -- Dynamic Filters Question...

["Cuzens, Jarrod" <jcuzens () websense com>]

Hello!

        I am interested in using pcap to detect and track different
protocols. Protocols such as FastTrack, Gnutella, etc. use ephemeral ports
(nearly random src/dst ports) making it very difficult to define a filter
for tracking these. I can basically define a filter that has a packet
signature to detect things such as the beginning of a Gnutella session. For
example I could use the following filter: tcp[20:4]=0x474e5554 which
basically translates into: "pass this packet up if the first four bytes are
GNUT". If this is the first packet that I have seen for a given
srcIP:srcPort, dstIP:dstPort then this is the start of a Gnutella session.

        What I would like to be able to do is track this session by
essentially adding a pcap filter (to a new instance of pcap) to monitor
srcIP:srcPort and dstIP:dstPort for this new session (disregarding sequence
numbers (I just need the naive case :) ) ) on the fly. This way pcap would
now pass me up anything related to this session. Extending this idea a
little further the original pcap instance would still detect new sessions
and I would continue to add new rules to the session filter and remove them
when either the session stales or I get a FIN.

        Basically, what I am trying to get at is that I would like to be
able to dynamically add a remove rules from a filter on the fly. I have read
a few documents about BPF+ that seem to indicate that this is the direction
for BPF+ (although I have also read documents that state the contrary). Is
there any functionality like this in libpcap?

Thanks very much for any help!
Jarrod