Hi All.
This is my first post to this list.
At present I am working an a system were all the capture for many testbeds is
done at one central point (CISCO Catalyst 6500) The capture is done with
Dumpcap using multiple files of 20 Meg. Using the central point for all the
capture cannot be changed. I do not have any way of capturing on an interface
on the testbeds used. As there are many testbeds I wrote some batch files to
invoke tshark to filter the capture files for packets having a host (i.e.
source or destination) IP address equal to the testbeds IP address. The filter
is run for each testbeds of interest. This system works at present, but in the
future each host will go from having 1 IP address to 30. Filtering each capture
file 30 times for each of the IP addresses will not work as it will be way too
slow.
I see that you can have multiple filters when using Tshark and I was wondering
if anyone had experience of using Tshark with 30 filter expressions. Does
anyone know how much it will slow down the filtering?
Does anyone have an example of putting the filter expression in a file?
I have read all the manuals I can find but I cannot find a section giving the
format for the filters when they are in a file and not on the command line.
Does anyone know of some example C/C++ code using the wireshark libraries on
Win XP to do this type of filtering. If I new the file header format I could
write a tool to do the filtering myself, but again there does not seem to be a
concise definition of the file format and various warnings not to assume the
headers will remain the same.
For my filter application the code can be a little more compact.
It does not need to worry about endianism.
It will always read from a file so no code to deal with live capture is needed.
It would not need to compile the filter.
Its only concerned with the IP address so does not need to worry about other
protocols.
The only thing the application needs to read from the packet is total length,
packet type, source IP address, dest IP address.
The packets could be written as they are found, or buffered up until all the
capture file has been processed. This would depend on the number of open files
the application could have. If the number of files that can be open is more
than the number of testbeds being filtered for then the packets can be written
as they are found. If there are more testbeds than the max number of open files
then buffer up the writes and then go through them one at a time.
Thanks in advance for any help.
Robert Murphy
ICTWM Limited.
Registered in England number: 5771976, VAT registration number: 886 9322 68.
Registered office address: Unit 2, The Hay Barn, Church House Farm, Yarpole,
Leominster HR6 0BB.
Email: [EMAIL PROTECTED]
This message is confidential. If received in error please notify us and remove
it from your system. Although we believe this message and any attachments are
virus free it is the responsibility of the recipient to confirm this.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
