tcpdump mailing list archives
Re: using a database to store packets
From: MAURICIOMANENTS <MAURICIOMANENTS () terra es>
Date: Fri, 26 Nov 2004 15:01:08 GMT
Guy Harris wrote:
MAURICIOMANENTS wrote:I'd like to store packets in a database format so I can see packets using ethereal (with the needed changes to support database reading)If you're talking about reading it using Ethereal, what you'll have to store is raw packet data, not something like a database record with particular packet properties as fields (you could probably store the raw packet data as a blob - or as a field, as long as the database supports fields as big as the maximum packet size).
No, I want to store whole packets in a database to be able to access them using ethereal in realtime (yes, ethereal should have new code to read from that database)
But the easiest format for Ethereal to read is, err, umm, libpcap format, which is the native format for tcpdump and Ethereal. If you just want to store packets in a form Ethereal can read, "tcpdump -w" (or "tethereal -w") should work just fine.
The problem with libpcap format is that I can't read the file in realtime, nor delete packets.
or remove not needed packets while capturing.Presumably you mean that packets saved to the database will be deleted after they've been saved (and in some fashion more capable than what a capture filter can do, given that if a capture filter can distinguish needed packets from non-needed packets, you can just use that to remove those packets - you don't need a database).
No, I mean removing the packets I select while capture is in progress.
Does anyone know if it's possible to store packets using tcpdump on a database (either SQL, Berkeley DB, or whatever) so I can view, and remove packets in realtime?It's possible, but tcpdump itself can't do it. You could, for example, write your own program to do so, reading a capture file from the standard input (use libpcap, and open the file named "-" with "pcap_open_offline()", to read from the standard input), and pipe tcpdump's output to it (with "-w -").
No, I'm proposing to change tcpdump to store packets using a database system like SQL or Berkeley DB, nor storing there already captured data. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- using a database to store packets MAURICIOMANENTS (Nov 27)
- Re: using a database to store packets Guy Harris (Nov 27)
- <Possible follow-ups>
- Re: using a database to store packets MAURICIOMANENTS (Nov 27)
- Re: using a database to store packets Ed Maste (Nov 27)
- Re: using a database to store packets Guy Harris (Nov 27)
- Re: using a database to store packets Daniel Lawson (Nov 28)
- Re: using a database to store packets Ed Maste (Nov 27)
- Re: using a database to store packets MAURICIOMANENTS (Nov 29)
- Re: using a database to store packets Aaron Turner (Nov 29)
- Re: using a database to store packets Daniel Lawson (Nov 29)
- Re: using a database to store packets MAURICIOMANENTS (Nov 29)