Re: [WinPcap-users] multiple filters

[Gianluca Varenni]

Hi.   I worked on this stuff during my graduation thesis, three years ago. Basically, I added some features to the orginal BPF virtual machine to support the retrieval of statistics. All the modifications to the original BPF machine are available in the release version of WinPcap (this extension is called TME, the main file is tme.c/h in winpcap/packetntx/driver)   You can find the PDF version of my thesis at   http://netgroup.polito.it/gianluca/tesi_gianluca.pdf   The first chapter is in italian, the remaining part is written in english.   Have a nice day GV   ----- Original Message ----- From: Steve Ericson To: [EMAIL PROTECTED] Sent: Tuesday, August 10, 2004 1:36 PM Subject: [WinPcap-users] multiple filters apologies if this is a repeat, but I did look for the answer and did not find it.   I reviewed the nice sample app TCPTOP which uses winpcap in MODE_STAT (packet/byte statistics).  This is neat, except that: Imagine I have 5 types of packets I want to tabulate statistics for:  HTTP, all other TCP, all UDP, all IPSEC, and other IP.  I would like the statistics for *each* filter when dispatcher_handler is called.  Obviously I could just recompile tcptop to take a filter on the command line and run 5 separate processes, but perhaps the 1000ms intervals don't exactly overlap (they are different processes, after all), and if I ran a 6th one that was unfiltered (all packets), I really would have no guarantee that the totals would add up.   Basically, I would like to be able to pass in an array of filters before pcap_loop( ) is called.  Packets would be matched against each filter and the compiled statistics for each filter would be returned to dispatch_handler( ).  Is there a way of doing this?   I realize I can just get the bytes for every packet and do my own decode, but then I will have gotten away from the very low overhead that makes TCPTOP such a nice app.  Traffic is typically 5-10Mbps right now, so performance is a concern.   +Steve