Re: Problem with generation of Pcap traces for

[Guy Harris <guy () alum mit edu>]

On May 13, 2009, at 3:46 PM, Johan Mazel wrote:

> My reason of doing this is that I want to be able to aggregate  
> different
> source of packets (eg.: I have eth0, eth1 eth2 and eth3 and I want to
> capture on eth0 and eth1 only and build a trace from these  
> interfaces only).
> My goal is to aggregate the capture from these interfaces by just  
> supplying
> the different data structures (pcap_pkthdr and const char *) of the  
> captured
> packets to the libpcap functions and generate a tracefile (or  
> savefile) from
> them.

So you'd need to call pcap_create() on each of the interfaces whose  
traffic you want to aggregate *AND* call pcap_activate() on all of them.

In addition, you should make sure the interfaces all have the same  
link-layer type, as pcap files don't support multiple link-layer types  
in a single file.

> If I want to do what I explained in the previous paragraph, I'll  
> have to use
> pcap_create with a device name like ethx in parameter, pcap_activate  
> with
> the pcap_t * previously created in parameter and then pcap_dump_open  
> with
> with the pcap_t * previously created and the name of my tracefile in
> parameters.

Right.  You have to pass to pcap_dump_open() a pcap_t that's:

        the result of pcap_create() *and* pcap_activate();

        the result of pcap_open_live();

        the result of pcap_open_offline();

        the result of pcap_open_dead().

> Ok, I now understand the point of using a pcap_t in this case.
> It is actually really helping me since I do not want to log the whole
> packet.
> And with my 2 pcap_t, I will be able to capture the full packet and  
> only log
> a part of it.

What do you mean by "capture the full packet and only log a part of it"?
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.