curl-users
Re: pcap output
Date: Fri, 17 Jun 2011 12:24:03 +0200
"Daniel Nagy" <DanielNagy_at_gmx.de> wrote:
> This works for curl because it speaks http , but it looks different for other programs. Sure, I will have a look at
> your suggested --trace arguments, but that would only do it for curl. having a pcapwrapper I could wrap it
> around every network program and see its traffic in a pcap file which only contains traffic from that program.
>
> e.g.:
>
> $ pcapout --outfile=apt.pcap apt-get update
I once had an idea for libpcap; make an extension to the filter-syntax that let
one read traffic to/from only a certain process (pid). E.g. 'tcpdump port http && pid == 123'.
So in your above program, pcapout could spawn 'apt-get', find it's pid and start a libpcap
capture-thread with the pid in the filter. Hooking every system network-call (as you suggested)
would get you a little more details, but it would be much more difficult and prone to problems
I think.
How to get the list of processes in relation to open/listening ports is another matter.
On Win-XP SP3 and later it's relatively easy with the IPhlpAPI and the 'GetExtendedTcpTable'
function. Here is a working example: http://www.codeproject.com/KB/IP/iphlpapi2.aspx
On other OS'es one need to check how 'netstat' works on those.
--gv
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-06-17