Thanks all for your quick responses.
More questions.
Any packet read using 'pcap_dispatch' in fn 'capture'
file 'tethereal.c' come in the plain byte stream
format and then it is converted to Wiretap format and
then may be dissected to make protocol tree.
Is it possible to strip off the pcap part (how easy it
is) and 'capture' the packets from a buffer (passed as
argument to capture fn)
I understnd that I will have to reorganize the main fn
(and may be some other fns as well) to make Tethereal
as a library for creating filters and matching filter.
Basically I have to write following APIs:
1) int etherealInit();
2) int etherealCreateFilter(char* filterstr1); //
returns filter id
3) int etherealCreateFilter(char* filterstr2); //
returns filter id
4) int etherealMatchFilter(u_char* pkt, int len); //
return matched filter id.
BTW, the tool I am trying to make is supposed to run
on RH linux 7.2 or higher versions only.
thanks everyone
Sofy Guy
--- Gilbert Ramirez <gram@xxxxxxxxxxxxxxx> wrote:
> On Wed, 2004-03-10 at 11:37, Soft Boy wrote:
> > Hi All,
> >
> > I have a requirement to filter packets stored in
> plain buffers. What I need is a good filter syntax
> and its parser (which ethereal display filters have)
> and a way to match filters to packets stored in byte
> stream array.
> >
>
> The display filter mechanism is tied very closely to
> ethereal's model of
> a *dissected* packet, where fields and their values
> are layed out in the
> tree structure. Imagine the protocol tree in the
> middle pane of the
> ethereal GUI... that's the structure that the
> display filter mechanism
> works on.
>
> For a buffer of bytes, tcpdump filters (a.k.a,
> libpcap filters, a.k.a,
> ethereal capture filters) are the way to go. You'd
> want to link to the
> pcap library, possibly modified, to use those.
>
>
> > Can I use ethereal display filters directly to do
> this using any command apart from the GUI ? OR if
> this is not possible.. Can I use any of the display
> filter APIs in ethereal code and write my own main
> function to remove capture filter capability and
> other unncessary stuff OR Can I extract the display
> filter parsing and matching code with little efforts
> and write my own application ??
> >
> > Is the display filtering done using BPF program
> like pcap_compile prepares for capture filters ?? OR
> does it have any other mechanism to do this ?? Where
> can I find more information about it ? Is there any
> thread/document which describes this mechanism ??
> >
> >
>
> There's a very very brief overview of the major
> parts of the display
> filter mechanism in docs/README.developer, section
> 5.0. But it doesn't
> go into much detail.
>
> --gbilert
>
__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you�re looking for faster
http://search.yahoo.com
