Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Triggers

From: "Luis EG Ontanon" <luis@xxxxxxxxxxx>
Date: Thu, 10 Apr 2008 22:31:22 +0200
I did not notice those replies to the bug.. Nice... I'll take a look...

 I wasn't neither aware of pcap_get_selectable_fd() and that may be
 because http://gd.tuwien.ac.at/infosys/security/tcpdump.org/pcap3_man.html
 does not show it... (Guy?)

 Windows does not implement it as  does not even have selectable fds or
 at least the one select() in winsock does not work on FDs so for
 WinPcap another approach should be taken (Gianluca?)

 I did not notice the load-peak while playing with it but I believe I
 should have felt it in my very slow PPC mac...  do pcap_dispatch works
 differently in linux and bsds? (Guy?)


 Thanks

 Luis




 On Thu, Apr 10, 2008 at 10:13 PM, Jason <wireshark@xxxxxxxxxxxxxx> wrote:
 > Luis EG Ontanon wrote:
 >
 > > As far as triggers go a while ago I checked in trigcap.c.
 > >
 >
 >  Nice.
 >
 >
 >
 > > It's an experiment I wrote that works with capture filters as
 > > start/stop triggers, I have not added it to the build process because
 > > I do not know if it works on anything other than my mac.
 > > it should not be difficult to mimic its mechanics in dumpcap.
 > >
 >
 >  It builds and runs on linux just fine.
 >
 >
 >
 > > it pcap_open_live()s a listener and a capturer (if a filter is given )
 > > it then enters a loop pcap_dispatch()ing a listener_handler and a
 > > capturer_handler
 > >
 >
 >  This monopolized the processor.  See the patches I wrote against trigcap.c
 > attached to bug 2039 [1].
 >
 >  The main goal of the patches were to run a specified program or script (eg
 > tshark with a read filter) at the start event and another program (eg
 > killall tshark) at the stop event.
 >
 >  The patches are just PoC, but seem to work for me.  Let me know what you
 > think...
 >
 >  thx,
 >
 >  Jason.
 >
 >  [1] - http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2039
 >
 >



 --
 This information is top security. When you have read it, destroy yourself.
 -- Marshall McLuhan



-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan