48.4.1.0.1 Configuration

Pcap network objects may be configured as either associated with a live network or with a trace file. If associated with a live network, the particular network interface to be used may be specified, as well as an optional promiscuous flag. As with all network objects, they may be opened for reading or writing. Here is an example:
     set me [exec hostname]
     set pf1 [new Network/Pcap/Live]
     $pf1 set promisc_ true
     set intf [$pf1 open readonly]
     puts "pf1 configured on interface $intf"
     set filt "(ip src host foobar) and (not ether broadcast)"
     set nbytes [$pf1 filter $filt]
     puts "filter compiled to $nbytes bytes"
     puts "drops: [$pf1 pdrops], pkts: [$pf1 pkts]"
This example first determines the name of the local system which will be used in constructing a BPF/libpcap filter predicate. The new Network/Pcap/Live call creates an instance of the pcap network object for capturing live traffic. The promisc_ flag tells the packet filter whether it should configure the undelying interface in promiscuous mode (if it is supported). The open call activates the packet filter, and may be specified as readonly, writeonly, or readwrite. It returns the name of the network interface the filter is associated with. The open call takes an optional extra parameter (not illustrated) indicating the name of the interface to use in cases where a particular interface should be used on a multi-homed host. The filter method is used to create a BPF-compatible packet filter program which is loaded into the underlying BPF machinery. The filter method returns the number of bytes used by the filter predicate. The pdrops and pkts methods are available for statistics collection. They report the number of packets dropped by the filter due to buffer exhaustion and the total number of packets that arrived at the filter, respectively (not the number of packets accepted by the filter).

Tom Henderson 2014-12-17