[tcpdump-workers] [tcpdump] Feature request: conditional run dissector on traffic (#495)

Michael Richardson mcr at sandelman.ca
Wed Dec 16 13:01:45 EST 2015

    > It has been mentioned briefly in #471: with the option -T radius it is
    > possible to dissect traffic over non-RADIUS ports as RADIUS, but this
    > means all traffic will be dissected as RADIUS

    > A short use case as an example: FreeRADIUS has the possibility to use a
    > RESTful server for authorization My RESTful daemon will send a
    > CoA/Disconnect if this user still has another session, and my NAS
    > requires that I send it to port 1700 instead of the standard port I
    > want to see all the traffic that is relevant, which means UDP port 1812
    > for RADIUS authentication, TCP port 80 for the RESTful traffic and UDP
    > port 1700 for RADIUS CoA/Disconnect

    > Until yesterday, UDP port 1700 was not marked as RADIUS, which means
    > that would not be dissected If I use -T radius, all traffic would be
    > dissected as RADIUS, so the HTTP traffic would be mangled

    > It would be nice if there was a possibility to conditionally mark
    > traffic as a certain protocol, like saying -T "udp port 1700 = radius,
    > tcp port 4080 = http"

Being able to dynamically map ports -> protocols in TCPDUMP would indeed be a
nice thing to have.    I think that squishing it all into -T is too hard.
I'd rather have a file that describes the mapping, and just bake a file like
that in as the default.  As for a syntax...
I was thinking that maybe we could use pcap filters as the matchers.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

More information about the tcpdump-workers mailing list