Hi All.
This is my first post to this list.
At present I am working an a system were all the capture for many testbeds is done at one central point (CISCO Catalyst 6500) The capture is done with Dumpcap using multiple files of 20 Meg. Using the central point for all the capture cannot be changed. I do not have any way of capturing on an interface on the testbeds used. As there are many testbeds I wrote some batch files to invoke tshark to filter the capture files for packets having a host (i.e. source or destination) IP address equal to the testbeds IP address. The filter is run for each testbeds of interest. This system works at present, but in the future each host will go from having 1 IP address to 30. Filtering each capture file 30 times for each of the IP addresses will not work as it will be way too slow.
I see that you can have multiple filters when using Tshark and I was wondering if anyone had experience of using Tshark with 30 filter expressions. Does anyone know how much it will slow down the filtering?
Does anyone have an example of putting the filter _expression_ in a file?
I have read all the manuals I can find but I cannot find a section giving the format for the filters when they are in a file and not on the command line.
Does anyone know of some example C/C++ code using the wireshark libraries on Win XP to do this type of filtering. If I new the file header format I could write a tool to do the filtering myself, but again there does not seem to be a concise definition of the file format and various warnings not to assume the headers will remain the same.
For my filter application the code can be a little more compact.
- It does not need to worry about endianism.
- It will always read from a file so no code to deal with live capture is needed.
- It would not need to compile the filter.
- Its only concerned with the IP address so does not need to worry about other protocols.
- The only thing the application needs to read from the packet is total length, packet type, source IP address, dest IP address.
The packets could be written as they are found, or buffered up until all the capture file has been processed. This would depend on the number of open files the application could have. If the number of files that can be open is more than the number of testbeds being filtered for then the packets can be written as they are found. If there are more testbeds than the max number of open files then buffer up the writes and then go through them one at a time.
Thanks in advance for any help.
Robert Murphy
ICTWM Limited.
Registered in England number: 5771976, VAT registration number: 886 9322 68. Registered office address: Unit 2, The Hay Barn, Church House Farm, Yarpole, Leominster HR6 0BB.
Email: rob.murphy@xxxxxxxxx
This message is confidential. If received in error please notify us and remove it from your system. Although we believe this message and any attachments are virus free it is the responsibility of the recipient to confirm this.
