Packet-o-matic

User Tools

Site Tools

Trace: pcap
pom:input:pcap

This is an old revision of the document!

Table of Contents

input_pcap

Mode interface

With this mode, you'll sniff packets from a specific interface. To avoid packet loss while using input pcap, you may want to increase the nice level when running packet-o-matic. You can also sniff from all the interfaces by specifying the interface name 'any'. When starting, it will show what output layer will be used. If you sniff from an interface, it will be either ethernet or linux_cooked for special interfaces like ppp interfaces. Parameters for this mode :

  • interface

Interface name to sniff from or 'any' for all the interfaces. Default : eth0.

  • snaplen

Maximum captured size of the packets. The default is large enough to accommodate all the packets. You may need to raise it if you need to capture jumbo frames. Default : 1522.

  • promisc

Set the interface in promiscuous mode to capture packets not destinated to the NIC MAC address. You need to be on a hub to use this. It doesn't work when interface is set to 'any'. Default : no.

  • filter

Have packets filtered by the kernel. Make sure you know what you are doing when using this parameter. See man tcpdump or man pcap-filter for syntax. Default : none.

Mode file

In this mode, input_pcap will read its packets from a pcap file. Parameters for this mode :

  • file

Specify the file to read packets from. Default : dump.cap

  • filter

Have packets filtered by the kernel. Make sure you know what you are doing when using this parameter. See man tcpdump or man pcap-filter for syntax. Default : none.

Mode directory

This mode is very similar to mode file. However instead of specifying a file, you specify a directory where the files will be found and the extension of files to look at. It will use the timestamps of the first packet saved in each file to process them in the right order. You can add files while it's processing and it will process them too a the right time.

Parameters for this mode :

  • path

Specify the directory to read packets from. Default : /tmp

  • file_extension

Specify the extension of the files that should be processed. Default : .cap

  • filter

Have packets filtered by the kernel. Make sure you know what you are doing when using this parameter. See man tcpdump or man pcap-filter for syntax. Default : none.

pom/input/pcap.1350032223.txt.gz · Last modified: 2020/05/26 21:59 (external edit)