Architecture overview

Sniffer consists of two separate threads of execution, symbolicaly called the sniffer and the dumper threads.

Sniffer thread attaches itself to the device specified, captures all traffic passing through it and, after filtering, places captured packets into buffer for later processing. Filtering is performed by user-defined script function. This function is called for every captured packet. More information will follow in Scripting section.

Dumper thread periodically emptyies buffer by calling user-defined function and passing it every packet broken down to header fields and packet contents. After this function returns, packet is removed from the buffer.

Sniffer provides a few means to control how often the dumper thread will dump buffer contents. One of them is to specify interval of time after which buffer dump will start. This option is useful if it's important to control the time between the packet appears on the device and the time you get the chance to do something with it. Another option is to specify the size of the buffer. Dump process will start once the buffer reaches this size and go on until it's empty. This is useful if real-time response is not an issue, but you'd like to control memory usage of the sniffer (like if you only care to log incoming packets to file or whereever). Another variation of this option is to specify the maximum number of packets in buffer. Once that many packets are buffered, dumping process starts and goes on until buffer is empty.