Do you know how to read a pcap file continuously?

James A. Robinson jimr at highwire.stanford.edu
Wed Sep 18 12:27:06 EDT 2013


On Wed, Sep 18, 2013 at 9:20 AM, Carter Bullard <carter at qosient.com> wrote:

> Not sure that I can resolve your 1 and 2.
>
> So, I could see a situation where argus is just sitting on
> a single tcpdump output file, say /tmp/tcpdump.out.
>
> This thing grows until someone decides to harvest the file,
> and renames it and somehow tcpdump recreates it and continues to write.
> Argus will have to close the packet file it had open, and open the same
> packet file again.  In this case the file will not exist for a little
> while.
>
> I could implement this as a loop trying to resolve the argus
> "waiting for the file to show up" state.
>

Based on the earlier messages it sounded as though you wouldn't
be keeping the filehandle open, that you were periodically opening
the file and seeking from the last read position?

If in fact you are keeping the filehandle open all the time, then
my #2 doesn't make sense, and I believe you'd never really
detect the "gone away" situation w/o an explicit check (since
your process has an open handle, the OS will still register the
file as existing, even if unnamed).

What I had been imagining, if you weren't keeping an open
handle, was that the first run would error out if the filename
wasn't available, and subsequent opens, from a periodic
polling loop, would then wait for the file to reappear.  In my
opinion it's actually better if you can just keep the filehandle
open and then behave exactly like tail(1) (that behavior would
be the least surprising, in my opinion).


Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130918/551b2617/attachment.html>


More information about the argus mailing list