tcpdump mailing list archives
Re: Question regarding libpcap filters and sflow, how to filter 1 out of every N packets.
From: "Tyler Littlefield" <tyler () tysdomain com>
Date: Mon, 6 Apr 2009 17:05:20 -0600
Is there a way to specify 1 out of every N packets sampling using an existing filter combination?
short term, dirty hack: For the function that you use to loop, just keep a static counter. when you hit 10, set it to 0 and start over or what ever. Thanks, Tyler Littlefield Web: tysdomain.com email: tyler () tysdomain com My programs don't have bugs, they're called randomly added features.----- Original Message ----- From: "Guy Harris" <guy () alum mit edu>
To: <tcpdump-workers () lists tcpdump org> Sent: Monday, April 06, 2009 4:53 PMSubject: Re: [tcpdump-workers] Question regarding libpcap filters and sflow, how to filter 1 out of every N packets.
On Apr 6, 2009, at 2:52 PM, Diego Valverde wrote:Is there a way to specify 1 out of every N packets sampling using an existing filter combination?No. The filtering mechanism was created in order to filter based on packet content, and that's all it supports checking.if not where should I look into the code in order to extend the filteringfunctionally for my particular needs?Nowhere - as indicated, the filtering mechanism checks only packet contents.I'm assuming the embedded device is running an operating system such as Linux, so that packets have to be copied from kernel space to user space (unless libpcap is using the memory-mapped access mechanism on Linux or FreeBSD) to be delivered to libpcap.If you don't care whether packets not being sampled are copied from kernel space to user space (or if you're running on a version of Linux or FreeBSD with a memory-mapped capture interface), you could just do the sampling in the code that reads from libpcap.If you do care, you'll have to implement the filtering in the kernel. - This is the tcpdump-workers list.Visit https://cod.sandelman.ca/ to unsubscribe.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Question regarding libpcap filters and sflow, how to filter 1 out of every N packets. Diego Valverde (Apr 06)
- Re: Question regarding libpcap filters and sflow, how to filter 1 out of every N packets. Guy Harris (Apr 06)
- Re: Question regarding libpcap filters and sflow, how to filter 1 out of every N packets. Tyler Littlefield (Apr 06)
- Re: Question regarding libpcap filters and sflow, Diego Valverde (Apr 06)
- Re: Question regarding libpcap filters and sflow, Darren Reed (Apr 06)
- Re: Question regarding libpcap filters and sflow, Guy Harris (Apr 06)
- Re: Question regarding libpcap filters and sflow, how to filter 1 out of every N packets. Guy Harris (Apr 06)
- Re: Question regarding libpcap filters and sflow, Diego Valverde (Apr 06)
- Re: Question regarding libpcap filters and sflow, Guy Harris (Apr 07)
- Re: Question regarding libpcap filters and sflow, how to filter 1 out of every N packets. Guy Harris (Apr 06)