Ask Your Question
0

Large Capture Filter

asked 2019-08-14 16:07:37 +0000

rewelch gravatar image

We service over 1000 networks through VPN connections and would like to be able to build a lengthy exclusion capture filter and add to it as more networks join. What is the maximum filter length and can this be done through a file based method so the list can be adapted as the customer base changes? Occasionally, we only want to capture traffic from unapproved or newly added sources.

edit retag flag offensive close merge delete

Comments

Is this a duplicate of your earlier question Extensive Filter Development?

If so, then we'll delete this question and you can amend your original question as required.

grahamb gravatar imagegrahamb ( 2019-08-14 16:16:37 +0000 )edit

Yes, sorry, the first one appeared lost during account creation, I guess it posted anyway. I prefer this one over the other. Thank you!

rewelch gravatar imagerewelch ( 2019-08-14 18:17:43 +0000 )edit

I marked the first as deleted.

rewelch gravatar imagerewelch ( 2019-08-14 18:20:56 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-08-14 19:19:05 +0000

Guy Harris gravatar image

updated 2019-08-14 19:19:36 +0000

What is the maximum filter length

There's no fixed maximum length; however:

  1. the filter is compiled into BPF pseudo-machine language and, on most platforms, handed to kernel-mode code, which probably imposes a maximum compiled-code size - if that's exceeded, the kernel-mode code will reject it, and libpcap/WinPcap/Npcap would have to do the filtering in user mode, with every received packet being copied up to user mode, which may cause more packet drops with high-volume traffic;
  2. the compiler's optimizer code path involves recursion, and a sufficiently complicated expression might cause a stack overflow.

can this be done through a file based method

tcpdump supports the -F command-line option, causing it to read the filter expression from a file.

TShark doesn't support that, although, with a UN*X-style shell, you could do

tshark -f `cat filter-file`

to insert the filter into a command-line from a file.

For Wireshark, you'd have to copy from the file and past into Wireshark.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-08-14 16:07:37 +0000

Seen: 746 times

Last updated: Aug 14 '19

Related questions

Is it possible to test a capture filter with already captured traffic?

How would I map this display filter to a capture filter?

Can't capture TLS certificate

Can I create a capture filter on a pcap file

Resolve frame subtype and export to csv

Error on Mac! Could not create profiles directory? Help!

How to create capture filter based on partial MAC address?

Increase column character length

How to go back to start screen?

Capture Filters - What am I doing wrong?