On May 13, 2009, at 3:46 PM, Johan Mazel wrote:
My reason of doing this is that I want to be able to aggregate
different
source of packets (eg.: I have eth0, eth1 eth2 and eth3 and I want to
capture on eth0 and eth1 only and build a trace from these
interfaces only).
My goal is to aggregate the capture from these interfaces by just
supplying
the different data structures (pcap_pkthdr and const char *) of the
captured
packets to the libpcap functions and generate a tracefile (or
savefile) from
them.
So you'd need to call pcap_create() on each of the interfaces whose
traffic you want to aggregate *AND* call pcap_activate() on all of them.
In addition, you should make sure the interfaces all have the same
link-layer type, as pcap files don't support multiple link-layer types
in a single file.
If I want to do what I explained in the previous paragraph, I'll
have to use
pcap_create with a device name like ethx in parameter, pcap_activate
with
the pcap_t * previously created in parameter and then pcap_dump_open
with
with the pcap_t * previously created and the name of my tracefile in
parameters.
Right. You have to pass to pcap_dump_open() a pcap_t that's:
the result of pcap_create() *and* pcap_activate();
the result of pcap_open_live();
the result of pcap_open_offline();
the result of pcap_open_dead().
Ok, I now understand the point of using a pcap_t in this case.
It is actually really helping me since I do not want to log the whole
packet.
And with my 2 pcap_t, I will be able to capture the full packet and
only log
a part of it.
What do you mean by "capture the full packet and only log a part of it"?
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
