Re: using a database to store packets

[Guy Harris <guy () alum mit edu>]

MAURICIOMANENTS wrote:
> I'd like to store packets in a database format so I can see packets
> using ethereal (with the needed changes to support database reading)

If you're talking about reading it using Ethereal, what you'll have to 
store is raw packet data, not something like a database record with 
particular packet properties as fields (you could probably store the raw 
packet data as a blob - or as a field, as long as the database supports 
fields as big as the maximum packet size).

But the easiest format for Ethereal to read is, err, umm, libpcap 
format, which is the native format for tcpdump and Ethereal.  If you 
just want to store packets in a form Ethereal can read, "tcpdump -w" (or 
"tethereal -w") should work just fine.

> or remove not needed packets while capturing.

Presumably you mean that packets saved to the database will be deleted 
after they've been saved (and in some fashion more capable than what a 
capture filter can do, given that if a capture filter can distinguish 
needed packets from non-needed packets, you can just use that to remove 
those packets - you don't need a database).

> Does anyone know if it's possible to store packets using tcpdump on a
> database (either SQL, Berkeley DB, or whatever) so I can view, and
> remove packets in realtime?

It's possible, but tcpdump itself can't do it.  You could, for examploe, 
write your own program to do so, reading a capture file from the 
standard input (use libpcap, and open the file named "-" with 
"pcap_open_offline()", to read from the standard input), and pipe 
tcpdump's output to it (with "-w -").
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.