tcpdump mailing list archives
opinions on sniffing WAN ports
From: "Fulko Hew" <fulko.hew () gmail com>
Date: Thu, 11 Jan 2007 10:44:15 -0500
I tried sending this yesterday, but apparently it didn't get through... I'm new to this list, so please be gentle... I'm involved with a product that does legacy WAN protocols and IP translation and routing. One of the features of this product is supposed to be line monitoring. Since I think Ethereal/Wireshark is a wonderful product, I thought I could leverage its functionality for our needs. Since libpcap is what does the hard lifting, I feel that's the first part I need to address/modify. Here's the ideas... I'm looking for comments (especially from those people who may already have done WAN monitoring): 0/ My hardware is a multi-processor box, so I'd alter libpcap to split its functionality into two parts: a) a part that run on the processor that runs tcpdump/wireshark, b) a distributed back-end that runs on each processor that supports the WANs/LANs The second part(s) will be responsible for performing the actual monitoring and packet filtering, and the first part will compile the filters, and forward requests (across an out-of-band link to the various back ends, to obtain interface information and start/stop monitoring, etc. 1/ I'll modify libpcap to query each processor to obtain it's list of interfaces, aggregate that list and return that aggregated list when any function related to pcap_findalldevices() is called. 2/ When an something like pcap_open() is called, I'd start an OOB session between libpcap and the remote processor, and tell it what interface to start monitoring. The reverse channel would then be the path back to libpcap for the captured data. 3/ I'd request and use some new DLT_xxx values for the 'special' WAN protocols used. (We deal in the airline comms industry, and they have some '40 year old' protocols still in wide use.) I'd use these new DLT_xxx values in the data_link_type field of the global header in the data stream. 4/ I then create wireshark disectors for my protocols. 5/ I move the BPF engine to the remote processors so I can have them do the filtering, and leave the compilation phase in the processor that hosts wireshark. TIA Fulko - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- opinions on sniffing WAN ports Fulko Hew (Jan 11)