Do you know how to read a pcap file continuously?

Carter Bullard carter at qosient.com
Wed Sep 18 12:20:49 EDT 2013 

Not sure that I can resolve your 1 and 2.  

So, I could see a situation where argus is just sitting on
a single tcpdump output file, say /tmp/tcpdump.out.

This thing grows until someone decides to harvest the file,
and renames it and somehow tcpdump recreates it and continues to write.
Argus will have to close the packet file it had open, and open the same
packet file again.  In this case the file will not exist for a little while.

I could implement this as a loop trying to resolve the argus
"waiting for the file to show up" state.

Carter



On Sep 18, 2013, at 11:31 AM, "James A. Robinson" <jimr at highwire.stanford.edu> wrote:

> On Wed, Sep 18, 2013 at 7:49 AM, Carter Bullard <carter at qosient.com> wrote:
> So a few situational issues that we need to resolve.
>    1. I presume that you want to wait for the packet file to show up, if its not there when we start ?
>    2. What do we do when the file is removed ??  Should we exit ???? Or should we wait for a new one to arrive??
> 
> There are a few gottcha's I need to account for, say when argus starts and the initial pcap file is empty.
> 
> If you're soliciting feedback from list readers, I'd like to throw in a vote for behavior similar to how tail(1) operates...
> 
> 1. If the file isn't there, exit with a message indicating that.
> 
> 2. Since tail keeps its file open this doesn't come up for it, but it does warn about the file changing, so waiting for a new file to arrive and warning about the change would make sense to me (perhaps also warning about the file going away when that is first detected).
> 
> 3. If the pcap file is zero length, just want for data to arrive.
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130918/a3f5dedc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130918/a3f5dedc/attachment.bin>

More information about the argus mailing list