tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Support for multiple packet capture types per platform

From: Guy Harris <guy () netapp com>
Date: Thu, 1 May 2003 00:08:11 -0700
On Thu, May 01, 2003 at 01:38:11PM +1200, Jesper Peterson wrote:

The structure of libpcap could be enhanced by allowing
for multiple packet capture types other than just the
current file or kernel stack mechanisms. This could
possibly be achieved by optionally using a URL style
device name for example 'dag:/dev/dag0'.


WinPcap already supports a "pcap_open()" call that accepts URL-style
names; it currently supports opening files and libpcap-style capture
devices, both locally and remotely:

        http://winpcap.polito.it/docs/man/html/group__remote__func.html#a3

However, I'm not sure how that'd support opening, say, DAG devices on
remote machines - the syntax for opening an adapter on a remote machine
is

        rpcap://{host}/{adapter}

but "{adapter}" is a traditional adapter name.

One possibility would be that

        dag://dev/dag0

would open "/dev/dag0" locally, and

        dag://{host}/dev/dag0

would send an rpcap request to the remote host to open "/dev/dag0"; that
request would somehow have to indicate that a DAG device was to be
opened, e.g. by sending "dag://dev/dag0" to the remote machine as the
name of the device to be opened.

Another possibility, which fails only if somebody on some platform has
the bright idea to name some network interface "dag", would be to have
libpcap know that a device of the form "dagN" was a DAG device.  That
has the advantage that you don't have to type quite as long a name.


This could also potentially allow offline dumping from non-pcap
files.


Dumping from, or dumping to?

Reading from non-libpcap files is, in most cases, probably best done by
having libpcap look at the file to see what type of file it is; that's
how Ethereal's capture-file-reading library does it.  Of the file types
Ethereal can read, the following all have magic numbers at fixed
locations, making it relatively easy to determine the file type:

        libpcap
        Novell LANalyzer
        Sniffer for DOS
        Sun snoop
        AIX iptrace
        Microsoft Network Monitor
        NetXRay/Sniffer for Windows
        RADCOM devices
        HP-UX nettl
        Visual Networks capture files

Some others require more heuristics - most are text files, but some that
aren't are

        WildPackets EtherPeek/TokenPeek/AiroPeek
        pppdump output
        i4btrace output

Dumping to non-libpcap files could be done with a tag in the pathname.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: