tcpdump mailing list archives
Re: Support for multiple packet capture types per platform
From: Guy Harris <guy () netapp com>
Date: Thu, 1 May 2003 00:08:11 -0700
On Thu, May 01, 2003 at 01:38:11PM +1200, Jesper Peterson wrote:
The structure of libpcap could be enhanced by allowing for multiple packet capture types other than just the current file or kernel stack mechanisms. This could possibly be achieved by optionally using a URL style device name for example 'dag:/dev/dag0'.
WinPcap already supports a "pcap_open()" call that accepts URL-style names; it currently supports opening files and libpcap-style capture devices, both locally and remotely: http://winpcap.polito.it/docs/man/html/group__remote__func.html#a3 However, I'm not sure how that'd support opening, say, DAG devices on remote machines - the syntax for opening an adapter on a remote machine is rpcap://{host}/{adapter} but "{adapter}" is a traditional adapter name. One possibility would be that dag://dev/dag0 would open "/dev/dag0" locally, and dag://{host}/dev/dag0 would send an rpcap request to the remote host to open "/dev/dag0"; that request would somehow have to indicate that a DAG device was to be opened, e.g. by sending "dag://dev/dag0" to the remote machine as the name of the device to be opened. Another possibility, which fails only if somebody on some platform has the bright idea to name some network interface "dag", would be to have libpcap know that a device of the form "dagN" was a DAG device. That has the advantage that you don't have to type quite as long a name.
This could also potentially allow offline dumping from non-pcap files.
Dumping from, or dumping to? Reading from non-libpcap files is, in most cases, probably best done by having libpcap look at the file to see what type of file it is; that's how Ethereal's capture-file-reading library does it. Of the file types Ethereal can read, the following all have magic numbers at fixed locations, making it relatively easy to determine the file type: libpcap Novell LANalyzer Sniffer for DOS Sun snoop AIX iptrace Microsoft Network Monitor NetXRay/Sniffer for Windows RADCOM devices HP-UX nettl Visual Networks capture files Some others require more heuristics - most are text files, but some that aren't are WildPackets EtherPeek/TokenPeek/AiroPeek pppdump output i4btrace output Dumping to non-libpcap files could be done with a tag in the pathname. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Support for multiple packet capture types per platform Jesper Peterson (Apr 30)
- Re: Support for multiple packet capture types per platform Guy Harris (May 01)