Ask Your Question
0

Large Capture Filter

asked 2019-08-14 16:07:37 +0000

We service over 1000 networks through VPN connections and would like to be able to build a lengthy exclusion capture filter and add to it as more networks join. What is the maximum filter length and can this be done through a file based method so the list can be adapted as the customer base changes? Occasionally, we only want to capture traffic from unapproved or newly added sources.

edit retag flag offensive close merge delete

Comments

Is this a duplicate of your earlier question Extensive Filter Development?

If so, then we'll delete this question and you can amend your original question as required.

grahamb gravatar imagegrahamb ( 2019-08-14 16:16:37 +0000 )edit

Yes, sorry, the first one appeared lost during account creation, I guess it posted anyway. I prefer this one over the other. Thank you!

rewelch gravatar imagerewelch ( 2019-08-14 18:17:43 +0000 )edit

I marked the first as deleted.

rewelch gravatar imagerewelch ( 2019-08-14 18:20:56 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-08-14 19:19:05 +0000

Guy Harris gravatar image

updated 2019-08-14 19:19:36 +0000

What is the maximum filter length

There's no fixed maximum length; however:

  1. the filter is compiled into BPF pseudo-machine language and, on most platforms, handed to kernel-mode code, which probably imposes a maximum compiled-code size - if that's exceeded, the kernel-mode code will reject it, and libpcap/WinPcap/Npcap would have to do the filtering in user mode, with every received packet being copied up to user mode, which may cause more packet drops with high-volume traffic;
  2. the compiler's optimizer code path involves recursion, and a sufficiently complicated expression might cause a stack overflow.

can this be done through a file based method

tcpdump supports the -F command-line option, causing it to read the filter expression from a file.

TShark doesn't support that, although, with a UN*X-style shell, you could do

tshark -f `cat filter-file`

to insert the filter into a command-line from a file.

For Wireshark, you'd have to copy from the file and past into Wireshark.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-08-14 16:07:37 +0000

Seen: 123 times

Last updated: Aug 14