Re: "stream" data from tcpdump

[Michael Richardson <mcr () sandelman ottawa on ca>]

> > > > > "Gilgamesh" == Gilgamesh Enkidu <ether.header () googlemail com> writes:
    Gilgamesh> I'm running tcpdump on an interface and doing some pretty
    Gilgamesh> tight filtering on it.  Occasionally, I would like to run
    Gilgamesh> another tool (eg. snort, tshark) on the filtered stream
    Gilgamesh> of data.  It seems less than ideal to have to run the
    Gilgamesh> other tool on the interface and repeat the filtering,
    Gilgamesh> rather than taking advantage of the fact that tcpdump has
    Gilgamesh> already done it for me.

    Gilgamesh> But what is the best way to get my "stream" of filtered
    Gilgamesh> data from tcpdump to my other tool?  I would rather not
    Gilgamesh> write the data to disk.  A fifo seemed like a good idea,
    Gilgamesh> but it falls down in that when I quit my second tool it
    Gilgamesh> kills the original tcpdump.

  have a tool that implements your pcap filter, and opens some
fifos/unix sockets, and write pcap format to it.  tcpdump -r
option does not seek, so you can read from a pipe with it.

-- 
]     Y'avait une poule de jammé dans l'muffler!!!!!!!!!        |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr () sandelman ottawa on ca http://www.sandelman.ottawa.on.ca/ |device driver[
]    h("Just another Debian GNU/Linux using, kernel hacking,    ruby  guy");  [
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.