default interfaces to monitor

[Michael Hornung]

I think it's safest to make the user specify which ifc to open.

-Mike

On Thu, 11 Oct 2007 at 18:08, Carter Bullard wrote:

|Gentle people,
|We are free to modify some of argus's behaviors for the 3.0
|release and I'd like to get some feedback on what argus does
|when you don't give it an interface to monitor.
|
|Currently, argus opens the first interface that it finds, by using
|pcap_lookupdev(buf).  That is what tcpdump() does, and so there
|is some precedence.  However, there are alternatives.
|
|The first could be that it prints out the possible interfaces and exists.
|Argus
|currently does this on Cygwin, because the interface names are so
|hideous.
|
|The second strategy is that it could open all the interfaces it finds.
|This is an interesting scenario with its own issues (does argus
|pool all the packets like the Linux "any" interface, or does it pass
|into the flow modeler the interface id, which becomes a part of the
|flow key)?
|
|The third would be to do what it is doing right now (the zeroth strategy
|I guess ;o).  My vote is to keep this behavior, and code up a change for
|argus-3.1 but if the community has a strong opinion, then I'll make
|a change.
|
|Do we have a vote/opinion/reaction/suggestion/comment?
|
|Carter
|