0

I'm trying to build a solution where dumpcap saves to text file in the format:

timestamp_as_detailed_as_possible, HEX-raw-packet

My goal is to have this continuously streaming each single data packet to the file, separated by newline.

2 questions?:

  • Is it possible for dumpcap to take care of fragmented packets, so I'm guaranteed each line contains 1 single full packet?

  • Is it OK to have another thread afterwards running and reading lines from the same file, do something with the data and then delete the line when processed - without this interfering with dumpcap?

Improve this question

2 Answers 2

Reset to default
1

Is it OK to have another thread afterwards running and reading lines from the same file, do something with the data and then delete the line when processed - without this interfering with dumpcap?

No. But this is the wrong approach. A pipe is actually what you should use here, i.e. dumpcap writing to a pipe and the analyzing process reading from it, i.e. 

dumpcap -w - | analyzer

Is it possible for dumpcap to take care of fragmented packets, so I'm guaranteed each line contains 1 single full packet?

No, and it is also unclear here what exactly you expect. Usually there is no fragmentation done at the IP level and all since TCP tries to adjust the packet size to not be larger than the MTU anyway. And TCP should be treated as a byte stream only, i.e. don't expect anything you send to end up in a single packet or that multiple send will actually result in multiple packets.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

My reason for not using a pipe is if the analyser crashes, then packets are lost. So writing to flat files at first seems more secure.
@AlfredBalle: The requirement makes sense. But you cannot remove parts from the beginning of a file while at the same time adding new stuff to the end since the file position of the end will change.
That make sense of course. Maybe write to a database (sqlite), and then if write fails to this write to file for backup. Then have a analyser taking records from same sqlite? But then dumpcap can't work independently
@AlfredBalle: dumpcap can run in "multiple files" mode. Just remember in your analyzer where the last file and position was and then simply delete a file which was fully processed instead of deleting single entries.
@SteffenUllrich analyser not found. Where can I download/install it from ?
|
0

I'm trying to build a solution where dumpcap saves to text file

Dumpcap doesn't save to text files, it saves to binary pcap or pcapng files.

You might want to consider using tcpdump instead, although you'd have to pipe it to a separate program/script to massage its output into the format you want.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.