Do you know how to read a pcap file continuously?

[Harry Hoffman]

Might be interesting to look at the perl module File::Tail as (I
believe) it implements most of the logic stated in the thread.

Cheers,
Harry

On 09/18/2013 12:20 PM, Carter Bullard wrote:
> Not sure that I can resolve your 1 and 2.  
> 
> So, I could see a situation where argus is just sitting on
> a single tcpdump output file, say /tmp/tcpdump.out.
> 
> This thing grows until someone decides to harvest the file,
> and renames it and somehow tcpdump recreates it and continues to write.
> Argus will have to close the packet file it had open, and open the same
> packet file again.  In this case the file will not exist for a little while.
> 
> I could implement this as a loop trying to resolve the argus
> "waiting for the file to show up" state.
> 
> Carter
> 
> 
> 
> On Sep 18, 2013, at 11:31 AM, "James A. Robinson" <jimr at highwire.stanford.edu> wrote:
> 
>> On Wed, Sep 18, 2013 at 7:49 AM, Carter Bullard <carter at qosient.com> wrote:
>> So a few situational issues that we need to resolve.
>>    1. I presume that you want to wait for the packet file to show up, if its not there when we start ?
>>    2. What do we do when the file is removed ??  Should we exit ???? Or should we wait for a new one to arrive??
>>
>> There are a few gottcha's I need to account for, say when argus starts and the initial pcap file is empty.
>>
>> If you're soliciting feedback from list readers, I'd like to throw in a vote for behavior similar to how tail(1) operates...
>>
>> 1. If the file isn't there, exit with a message indicating that.
>>
>> 2. Since tail keeps its file open this doesn't come up for it, but it does warn about the file changing, so waiting for a new file to arrive and warning about the change would make sense to me (perhaps also warning about the file going away when that is first detected).
>>
>> 3. If the pcap file is zero length, just want for data to arrive.
>>
> 
>