SLUG Mailing List Archives
Re: [SLUG] Tcpdump - multiple filters to multiple files?
- To: Jean-Francois Dive <jef@xxxxxxxxxxx>
- Subject: Re: [SLUG] Tcpdump - multiple filters to multiple files?
- From: Umar Goldeli <umar@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 24 Jun 2003 10:50:00 +1000 (EST)
- Cc: slug@xxxxxxxxxxx
> The bottom of this is the fact that the packet filtering using tcpdump on linux
> is not done by tcpdump itself nor by the libpcap, but by the BPF filtering capability
> of the kernel (read: the kernel only send the appropriate packets to the userland side).
> To solve your problem, you dont need tcpdump at all: tcpdump is basically a pcap format interpreter.
> You can do it by opening 100 sockets filtered for one host or 1 socket et filter yourself; obvously,
> the second one is the only one to scale properly. The amount of code to do that would be
> small if you only want to dump that to a file.
that's the kind of thing I was thinking of - getting some kind of packet
stream frmo the kernel and filtering it myself - mayeb a hash table of
sorts with the filters in them etc etc.. alas, I haven't played with C for
quite some time now and I've been converted to the Dark Side(tm) (Perl. ;)
- so for me it would be quite impossible..
However, if this is indeed a simple task - I'd be willing to pay someone
to put it together for me.. ?
> On Mon, Jun 23, 2003 at 08:01:17PM +1000, Umar Goldeli wrote:
> > Howdy,
> > How are we all? :)
> > Here's an interesting question that I'm looking for a solution to - quite
> > simply, is there a way to run tcpdump to capture different ip addresses
> > and output them to different files without running multiple copies of
> > tcpdump?
> > Specifically - something along these lines:
> > * A single tcpdump process captures packets with source or dest IP:
> > 22.214.171.124 and outputs the results to 126.96.36.199.log whilst at the same time
> > doing the same for 188.8.131.52 and 184.108.40.206.log respectively.
> > Ideally - this scales to the 100 mark or so.. and FAST.
> > I'm pretty sure this can't be done with tcpdump/libpcap - but is there
> > another utility?
> > If none exists - how hard would it be to code such a beast? Also - could
> > it be coded portably so it could compile/run on Solaris etc?
> > Looking forward to hearing your replies...
> > Thanks in advance. :)
> > Cheers,
> > Umar.