On Sun, 4 May 2003 10:00 am, Jon Baer wrote: > hi, > > i noticed that winpcap now has remote capture abilities (via > http://winpcap.polito.it/docs/man/html/group__remote__help.html) but what > im really wondering is if it is currently possible or possible in the > future to view via ethereal (for say if you had a wifi dmz setup w/snort to > monitor traffic) ... I've thought about remote capture a little, and the easiest way would seem to be to use libpcap over some kind of RPC mechanism. There is actually a sourceforge project to do this (http://sf.net/projects/rpcap) although it appears to need a lot more work - I couldn't even get the CVS version to build. I had some discussions with the maintainer, and it looked like he did intend to do some more work on it, but probably real world concerns intruded.
I thought that it would be fairly easy to get Ethereal to build using such a mechanism, since the calls are essentially the same. To allow easy access to the various machines offering captures, I thought that something like Service Location Protocol might be useful. It should be possible to make Ethereal build without those, if not available, based on some pretty trivial autoconf magic. The issues would then be whether there is enough throughput, and how to avoid runaway capturing problems (presumably some kind of automatic capture filter would be required). Brad