Do you know how to read a pcap file continuously?

el draco eldraco at gmail.com
Tue Sep 17 11:02:08 EDT 2013 

Thanks Carter. That is exactly what we realized. I would love a seek()
on libpcap.

I know it is offtoppic but, right now we solve it with something like this:

First start the capture in file.pcap

tail -f test.pcap -n 1000 | tcpdump -n -s0 -r -

That can read a pcap file continuously. You can use tshark instead.

With argus you can do:
tail -f test.pcap -n 1000 | argus -r - -w test.argus

(the -n is useful if you want to read big files. You must go to the
start of the file with the -n value)

And after that you can run several times:
ra -r test.argus

Not the best I know...
sebas

On Tue, Sep 17, 2013 at 3:58 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey El Draco,
> This type of feature would have to be supported by libpcap(),
> as it is the logic that reads the packets from files.
>
> If there is a decent way to seek() into a libpcap file
> once we've opened the file with pcap_fopen_offline(),
> then I can put it into argus.
>
> Carter
>
>
> On Sep 17, 2013, at 8:12 AM, el draco <eldraco at gmail.com> wrote:
>
>> Hi list.
>>
>> We need your help.
>> We have a lot of running pcap captures here that are storing the
>> packets in pcap files on the disk. These files are continuously
>> growing and we are using argus to analyze them.
>> (We can not change and use only argus, we need the pcaps)
>>
>> We want to have argus read these pcap files and generate some output
>> (or a server port waiting for a client or write the data to files).
>> But argus should run continuously without stopping, like when it is
>> reading packets from the network. If new packets are added to the pcap
>> file, we want argus to find them.
>>
>> I know that you can not use -r in argus and at the same time open a
>> port for listening requests.
>>
>> Did any of you solve this before? How to continuously analyze a pcap file?
>>
>> Also we can't run argus each time we need data, because in large files
>> it can take up to 5 minutes to read one pcap.
>>
>> thanks a lot
>> sebas
>>
>

More information about the argus mailing list