Howdy,
> The bottom of this is the fact that the packet filtering using tcpdump on linux > is not done by tcpdump itself nor by the libpcap, but by the BPF filtering capability > of the kernel (read: the kernel only send the appropriate packets to the userland > side). > > To solve your problem, you dont need tcpdump at all: tcpdump is basically a pcap > format interpreter. > You can do it by opening 100 sockets filtered for one host or 1 socket et filter > yourself; obvously, > the second one is the only one to scale properly. The amount of code to do that > would be > small if you only want to dump that to a file. that's the kind of thing I was thinking of - getting some kind of packet stream frmo the kernel and filtering it myself - mayeb a hash table of sorts with the filters in them etc etc.. alas, I haven't played with C for quite some time now and I've been converted to the Dark Side(tm) (Perl. ;) - so for me it would be quite impossible.. However, if this is indeed a simple task - I'd be willing to pay someone to put it together for me.. ? //umar. > > JeF > > On Mon, Jun 23, 2003 at 08:01:17PM +1000, Umar Goldeli wrote: > > Howdy, > > > > How are we all? :) > > > > Here's an interesting question that I'm looking for a solution to - quite > > simply, is there a way to run tcpdump to capture different ip addresses > > and output them to different files without running multiple copies of > > tcpdump? > > > > Specifically - something along these lines: > > > > * A single tcpdump process captures packets with source or dest IP: > > 1.2.3.4 and outputs the results to 1.2.3.4.log whilst at the same time > > doing the same for 2.3.4.5 and 2.3.4.5.log respectively. > > > > Ideally - this scales to the 100 mark or so.. and FAST. > > > > I'm pretty sure this can't be done with tcpdump/libpcap - but is there > > another utility? > > > > If none exists - how hard would it be to code such a beast? Also - could > > it be coded portably so it could compile/run on Solaris etc? > > > > Looking forward to hearing your replies... > > > > Thanks in advance. :) > > > > Cheers, > > Umar. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
