Do you know how to read a pcap file continuously?
James A. Robinson
jimr at highwire.stanford.edu
Wed Sep 18 11:31:19 EDT 2013
On Wed, Sep 18, 2013 at 7:49 AM, Carter Bullard <carter at qosient.com> wrote:
> So a few situational issues that we need to resolve.
> 1. I presume that you want to wait for the packet file to show up, if
> its not there when we start ?
> 2. What do we do when the file is removed ?? Should we exit ???? Or
> should we wait for a new one to arrive??
>
> There are a few gottcha's I need to account for, say when argus starts and
> the initial pcap file is empty.
>
If you're soliciting feedback from list readers, I'd like to throw in a
vote for behavior similar to how tail(1) operates...
1. If the file isn't there, exit with a message indicating that.
2. Since tail keeps its file open this doesn't come up for it, but it does
warn about the file changing, so waiting for a new file to arrive and
warning about the change would make sense to me (perhaps also warning about
the file going away when that is first detected).
3. If the pcap file is zero length, just want for data to arrive.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130918/8cfcf1ff/attachment.html>
More information about the argus
mailing list