Do you know how to read a pcap file continuously?
Carter Bullard
carter at qosient.com
Tue Sep 17 09:58:22 EDT 2013
Hey El Draco,
This type of feature would have to be supported by libpcap(),
as it is the logic that reads the packets from files.
If there is a decent way to seek() into a libpcap file
once we've opened the file with pcap_fopen_offline(),
then I can put it into argus.
Carter
On Sep 17, 2013, at 8:12 AM, el draco <eldraco at gmail.com> wrote:
> Hi list.
>
> We need your help.
> We have a lot of running pcap captures here that are storing the
> packets in pcap files on the disk. These files are continuously
> growing and we are using argus to analyze them.
> (We can not change and use only argus, we need the pcaps)
>
> We want to have argus read these pcap files and generate some output
> (or a server port waiting for a client or write the data to files).
> But argus should run continuously without stopping, like when it is
> reading packets from the network. If new packets are added to the pcap
> file, we want argus to find them.
>
> I know that you can not use -r in argus and at the same time open a
> port for listening requests.
>
> Did any of you solve this before? How to continuously analyze a pcap file?
>
> Also we can't run argus each time we need data, because in large files
> it can take up to 5 minutes to read one pcap.
>
> thanks a lot
> sebas
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130917/004a2e03/attachment.bin>
More information about the argus
mailing list