[Winpcap-users] Changing WinPCAP Filters on the Fly
Gianluca Varenni
gianluca.varenni at cacetech.com
Fri May 11 17:02:04 GMT 2007
Changing WinPCAP Filters on the Fly
----- Original Message -----
From: John Hermanski
To: winpcap-users at winpcap.org
Sent: Friday, May 04, 2007 8:43 AM
Subject: [Winpcap-users] Changing WinPCAP Filters on the Fly
Hi,
I'm looking into using WinPCAP for capturing and recording audio RTP streams. A single session, using a precompiled filter works just fine.
But in a "real" system, running multiple sessions, packets being captured would change on a regular basis. A stream can be uniquely identified by its source and destination UDP ports and IP addresses. To capture streams for 25 calls, you would need to 'or' together 25 expressions.
Would compiling an expression or putting it into use break down when the expression got too large?
It depends on the size of the expression, or better on the generated filter. I know that there are WinPcap based application making use of pretty complex filter strings without any problem (mainly large sets of IP addresses and TCP/UDP ports).
When changing compiled expressions while capture is going, can packets be lost?
Yes. All the packets that were captured by the driver but not delivered to user level yet are discarded. This is by design (you want to be sure that the received packets after the change are only packets matching the current filter).
Capturing everything, and then doing filtering myself is an option, but probably not a good one.
Depending on the traffic rate, it can be a reasonable choice or not. In general filtering directly in the driver helps a lot when
- you have a very selective filter (i.e. you are accepting a really small subset of the traffic)
- you use a snaplen (i.e. you capture the first n bytes of the packet)
- the traffic rate is pretty high, let's say over 50-100MBps (this depends on a **large** number of factors).
Have a nice day
GV
Thanks for any help or opinions here.
JOHN HERMANSKI
Applications Engineer
Dialogic Research Inc.
Tel: (978) 744-9098
Mobile: (978) 836-8028
Email: john.hermanski at dialogic.com
Web: www.dialogic.com
This e-mail is intended only for the named recipient(s) and may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. No waiver of privilege, confidence or otherwise is intended by virtue of communication via the internet. Any unauthorized use, dissemination or copying is strictly prohibited. If you have received this e-mail in error, or are not named as a recipient, please immediately notify the sender and destroy all copies of this e-mail.
------------------------------------------------------------------------------
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20070511/4a3d8106/attachment-0001.htm
More information about the Winpcap-users
mailing list