Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 3967] New: Add start and stop filter triggers to dumpcap

Date: Sun, 30 Aug 2009 18:11:07 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3967

           Summary: Add start and stop filter triggers to dumpcap
           Product: Wireshark
           Version: SVN
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Enhancement
          Priority: Medium
         Component: Extras
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: harixxxx@xxxxxxxxx
                CC: harixxxx@xxxxxxxxx


Build Information:
Not relevant.
--
I'm working on adding start and stop filters to dumpcap. This is similar to
what trigcap.c does, but this implementation is very different.

I checked trigcap.c. It creates two pcap instances and sets them to
non-blocking mode. One of them is used to match the start and stop filters
while the second is used to match the capture filter.

I think making similar changes to dumpcap would be a risk - at least I do not
know all the issues involved. The goals of implementing this feature are:

- Only one pcap instance should be created.
- Blocking mode should be used.
- If start and stop filters are not specified, dumpcap should working as it did
previously, i.e. it should compile the capture filter and install it in the
pcap instance.

Implementation description:
Initialization:
if (start filter given)
    compile capture filter
    if (stop filter given)
       keep compiled capture filter
    else
       // We compiled it only for validation
       free compiled capture filter
    install start filter in pcap
else
    if (stop filter given)
        compile capture filter and keep compiled version
        compile stop filter and keep compiled version
        install empty filter in pcap to match all packets
    else
        install capture filter in pcap
endif

Packet match callback:
if (start filter given)
    // Start filter has matched.
    // Have to switch filter.
    if (stop filter given)
        install empty filter in pcap to match all packets
    else
        install capture filter in pcap
endif
// Now, if stop filter was given, an empty filter would have been
// installed in pcap. So we need to match both the capture filter
// and the stop filter here.
//
// If no stop filter was given, the capture filter would have been
// installed in pcap. Hence there is no need for further match.
if (stop filter given)
    if (packet matches capture filter)
        should save to file
    if (packet matches stop filter)
        stop capture
endif
// Save packet, etc.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.