Re: [tcpdump-workers] Listening on multiple devices in promiscous
Peter Sandford wrote: I need to capture from 2 interfaces on a machine in promiscuous mode. This is because we are routing a copy of 2 load balanced streams onto a box for monitoring. I'm aware it isn't possible (?) to listen on "any" with a pcap_open_live in promiscuous as the flag is ignored, but is there a way of listening on a set of interfaces in promiscuous mode? Although you can't enable promiscuous mode on the "any" interface, enabling it on each of the direct interfaces will result in the "any" interface receiving all the traffic from each of the individual interfaces in promiscuous mode. Since you mention the "any" interface, which is a Linux-ism, if your machine is a recent Linux system, you may be able to use another approach as well: ethernet bonding, which creates a virtual interface that aggregates the traffic on the two interfaces. This is different from "any" since the "enslaved" interfaces are no longer tied into the upper layer networking code; they simply hand over traffic to the virtual aggregate interface. (I think you can use tcpdump (packet sockets) on the individual interfaces, since they work at the link layer, but I'm not sure). A google search on ethernet bonding will turn up pages like http://linux-ip.net/html/ether-bonding.html that do a decent job of explaining how to set this up. If you do something like this, you will probably want to use a High Availability approach to avoid sending packets out both enslaved interfaces, instead using only one. An even better approach would be to leave the interface without upper layer (IP) addresses, and use it as a passive-only device. @alex - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Listening on multiple devices in promiscous mode
On Dec 6, 2004, at 2:07 AM, Peter Sandford wrote: I need to capture from 2 interfaces on a machine in promiscuous mode. This is because we are routing a copy of 2 load balanced streams onto a box for monitoring. I'm aware it isn't possible (?) to listen on "any" with a pcap_open_live in promiscuous as the flag is ignored, The problem is that the "any" device, on Linux, is implemented by capturing on a socket that's not bound to any interface; this means that it can't be used to set promiscuous mode, as the Linux kernel doesn't, as far as I know, turn promiscuous mode on for all interfaces if you try to set promiscuous mode on an unbound socket. but is there a way of listening on a set of interfaces in promiscuous mode? Open multiple pcap_t's, get the file descriptors for them (use "pcap_get_selectable_fd()" if your libpcap has it, "pcap_fileno()" otherwise), and do a "select()" or "poll()" on them for reading. If a descriptor is marked as ready to read, do a "pcap_dispatch()" on the corresponding pcap_t. Note that this should work on most non-Linux UN*Xes as well. To make this run on BSDs, you should put the descriptors in non-blocking mode (use "pcap_setnonblock()" if your libpcap has it, otherwise set non-blocking mode on the descriptor returned by "pcap_fileno()" - if it has "pcap_get_selectable_fd()", it has "pcap_setnonblock()"), set the timeout in the "select()" or "poll()" to the shortest timeout used in "pcap_open_live()" for any of the pcap_t's, and read from all of the pcap_t's when "select()" returns. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] DLT_ request
Hello, I would like to request a DLT_ number for usage with raw GPRS LLC frames (DLT_GPRS_LLC). On a mobile, this is an output format that some loggers use. Having it defined as a possible link-layer type would allow me to have the GPRS_LLC dissector in ethereal register with that encapsulation type in pcap_to_wtap_map[] and call the GPRS_LLC dissector directly for my logs. thank you, Marc Hermstein __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Listening on multiple devices in promiscous mode
Hi all, I need to capture from 2 interfaces on a machine in promiscuous mode. This is because we are routing a copy of 2 load balanced streams onto a box for monitoring. I'm aware it isn't possible (?) to listen on "any" with a pcap_open_live in promiscuous as the flag is ignored, but is there a way of listening on a set of interfaces in promiscuous mode? Many thanks. Pete - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
