tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

opinions on sniffing WAN ports

From: "Fulko Hew" <fulko.hew () gmail com>
Date: Thu, 11 Jan 2007 10:44:15 -0500
I tried sending this yesterday, but apparently it didn't get through...

I'm new to this list, so please be gentle...

I'm involved with a product that does legacy WAN protocols and IP
translation and routing.  One of the features of this product is
supposed to be line monitoring.  Since I think Ethereal/Wireshark is a
wonderful product, I thought I could leverage its functionality for
our needs.  Since libpcap is what does the hard lifting, I feel that's
the first part I need to address/modify.

Here's the ideas... I'm looking for comments (especially from those
people who may already have done WAN monitoring):

0/ My hardware is a multi-processor box, so I'd alter libpcap to split
its functionality into two parts:
a) a part that run on the processor that runs tcpdump/wireshark,
b) a distributed back-end that runs on each processor that supports
the WANs/LANs

The second part(s) will be responsible for performing the actual
monitoring and packet filtering, and the first part will compile the
filters, and forward requests (across an out-of-band link to the
various back ends, to obtain interface information and start/stop
monitoring, etc.

1/ I'll modify libpcap to query each processor to obtain it's list of
interfaces, aggregate that list and return that aggregated list when
any function related to pcap_findalldevices() is called.

2/ When an something like pcap_open() is called, I'd start an OOB
session between libpcap and the remote processor, and tell it what
interface to start monitoring.  The reverse channel would then be the
path back to libpcap for the captured data.

3/ I'd request and use some new DLT_xxx values for the 'special' WAN
protocols used. (We deal in the airline comms industry, and they have
some '40 year old' protocols still in wide use.)  I'd use these new
DLT_xxx values in the data_link_type field of the global header in the
data stream.

4/ I then create wireshark disectors for my protocols.

5/ I move the BPF engine to the remote processors so I can have them
do the filtering, and leave the compilation phase in the processor
that hosts wireshark.

TIA
Fulko
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: