I'm trying to dump the content of a sys_write using a chisel. After a bit of research i've found that --snaplen increase the max size for capturing I/O opreration, but even with this i'm capped at 41512. Is there a way of increasing this ?
My chisel looks like this
function starts_with(str)
return str:sub(1, #elf_magic) == elf_magic
end
-- Event parsing callback
function on_event()
if evt.field(ftype) == syscallname and evt.field(fdir) == "<" then
local content = evt.field(fcontent)
print("------------------------")
print(string.format("size : %d",#content))
print("------------------------")
if starts_with(content) == true then
count = count + 1
print(string.format("[+]Dumping elf number %d",count))
local file_name = "elf_dump_" .. count
local file = io.open(file_name, "w")
if file then
file:write(content)
file:close()
else
print("Failed to open file for writing:", file_name)
end
end
end
return true
end
I'm trying to dump the content of a
sys_writeusing a chisel. After a bit of research i've found that--snaplenincrease the max size for capturing I/O opreration, but even with this i'm capped at 41512. Is there a way of increasing this ? My chisel looks like this