<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Changing WinPCAP Filters on the Fly</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16441" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=john.hermanski@eicon.com href="mailto:john.hermanski@eicon.com">John
Hermanski</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, May 04, 2007 8:43 AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Winpcap-users] Changing WinPCAP
Filters on the Fly</DIV>
<DIV><BR></DIV><!-- Converted from text/rtf format -->
<P><FONT face=Arial size=2>Hi,</FONT><FONT face="Times New Roman">
</FONT><BR><FONT face=Arial size=2>I'm looking into using WinPCAP for
capturing and recording audio RTP streams. A single session, using a
precompiled filter works just fine.</FONT></P>
<P><FONT face=Arial size=2>But in a "real" system, running multiple sessions,
packets being captured would change on a regular basis. A stream can be
uniquely identified by its source and destination UDP ports and IP addresses.
To capture streams for 25 calls, you would need to 'or' together 25
expressions.</FONT></P>
<P><FONT face=Arial size=2>Would compiling an expression or putting it into
use break down when the expression got too large?</FONT><FONT
face="Times New Roman"> </FONT></P><FONT face=Arial size=2></FONT></BLOCKQUOTE>
<DIV><FONT size=2>It depends on the size of the expression, or better on the
generated filter. I know that there are WinPcap based application making use of
pretty complex filter strings without any problem (mainly large sets of IP
addresses and TCP/UDP ports).</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV><FONT face=Arial size=2>When changing compiled expressions while capture
is going, can packets be lost?</FONT><FONT face="Times New Roman">
</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV></BLOCKQUOTE>
<DIV><FONT face=Arial size=2>Yes. All the packets that were captured by the
driver but not delivered to user level yet are discarded. This is by
design (you want to be sure that the received packets after the change are
only packets matching the current filter).</FONT></DIV><FONT face=Arial
size=2></FONT>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px"><FONT
size=2></FONT>
<DIV><BR><FONT face=Arial size=2>Capturing everything, and then doing
filtering myself is an option, but probably not a good one.</FONT><FONT
face="Times New Roman"> </FONT></DIV><FONT face=Arial
size=2></FONT></BLOCKQUOTE>
<DIV><FONT face=Arial size=2>Depending on the traffic rate, it can be a
reasonable choice or not. In general filtering directly in the driver helps a
lot when</FONT></DIV>
<DIV><FONT face=Arial size=2>- you have a very selective filter (i.e. you are
accepting a really small subset of the traffic)</FONT></DIV>
<DIV><FONT face=Arial size=2>- you use a snaplen (i.e. you capture the first n
bytes of the packet)</FONT></DIV>
<DIV><FONT face=Arial size=2>- the traffic rate is pretty high, let's say over
50-100MBps (this depends on a **large** number of factors).</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Have a nice day</FONT></DIV>
<DIV><FONT face=Arial size=2>GV</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV><BR><FONT face=Arial size=2>Thanks for any help or opinions here.</FONT>
</DIV>
<P><FONT face=Arial color=#000080 size=2>JOHN HERMANSKI</FONT><BR><FONT
face=Arial color=#808080 size=2>Applications Engineer<BR><BR></FONT><FONT
face=Arial color=#808080>Dialogic Research Inc.<BR><BR></FONT><FONT face=Arial
color=#808080 size=2>Tel:</FONT><FONT face=Arial color=#0000ff size=2></FONT>
<FONT face=Arial color=#000080 size=2>(978) 744-9098<BR></FONT><FONT
face=Arial color=#808080 size=2>Mobile:</FONT> <FONT face=Arial color=#000080
size=2>(978) 836-8028<BR></FONT><FONT face=Arial color=#808080
size=2>Email:</FONT><FONT face=Arial color=#000080 size=2>
john.hermanski</FONT><A href="mailto:tom.seidenstricker@dialogic.com"><U><FONT
face=Arial color=#000080 size=2>@dialogic.com</FONT></U></A><BR><FONT
face=Arial color=#808080 size=2>Web:</FONT><FONT face=Arial color=#000080
size=2> </FONT><A href="file://www.dialogic.com"><U></U><U><FONT face=Arial
color=#0000ff size=2>www.dialogic.com</FONT></U></A><BR><BR><FONT face=Arial
color=#808080 size=2>This e-mail is intended only for the named recipient(s)
and may contain information that is privileged, confidential and/or exempt
from disclosure under applicable law. No waiver of privilege, confidence or
otherwise is intended by virtue of communication via the internet. Any
unauthorized use, dissemination or copying is strictly prohibited. If you have
received this e-mail in error, or are not named as a recipient, please
immediately notify the sender and destroy all copies of this
e-mail.</FONT></P><BR>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>