On Wed, Aug 14, 2002 at 05:04:11PM -0400, Adeolu Adeoye wrote:
> Is there a way to configure filters to support trigger operation i.e.
> capturing only interesting packets?
Filters can arrange that you capture only interesting packets if your
definition of "interesting" depends only on the contents of the packet.
If, however, your definition of "interesting" depends on the contents of
previous packets, e.g. "all packets following an ICMP Host Unreachable
packet", there's no current way to do that. I assume that's what you're
talking about.
Code could be added to run all packets that pass the capture filter
through another filter, and discard all incoming packets (even if they
pass the capture filter) until a packet is seen that passes the other
filter. Writing that code is left as an exercise for the reader.
Note that the packets will get copied from the kernel to
libpcap/WinPcap, so it's not as if triggers are as cheap as capture
filters are on systems where there's a BPF interpreter in the kernel's
capture code. One could, in the OSes where the kernel's capture code is
changeable, add a "trigger" filter, to avoid the overhead of capturing
packets seen before the trigger filter is matched.
