tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tcpdump/pcap 1-of-S sampling

From: Bruce M Simpson <bms () incunabulum net>
Date: Sat, 26 May 2007 13:33:12 +0100
kevin brintnall wrote:

Hi,

I would like to add a feature to tcpdump/pcap to only capture 1/S packets
for some positive integer S.  For example, this would be useful for
traffic analysis on DNS servers where it's not feasible or desirable to
capture every single packet.
I believe this feature was already implemented by folks at ICSI who were working on the Bro intrusion detection system around 18 months ago, although it hasn't made its way into FreeBSD's bpf implementation as far as I know; the blocker was the lack of versioning of the bpf API in order to discover if the opcode was present or not. 

Regards,
BMS

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: