search

draios / sysdig

Linux system exploration and troubleshooting tool with first class support for containers
http://www.sysdig.com/
Other
7.79k stars 728 forks source link

Max size of --snaplen #2081

Closed 0xdeaddc0de closed 3 months ago

0xdeaddc0de commented 7 months ago

I'm trying to dump the content of a sys_write using a chisel. After a bit of research i've found that --snaplen increase the max size for capturing I/O opreration, but even with this i'm capped at 41512. Is there a way of increasing this ? My chisel looks like this 

function starts_with(str)
    return str:sub(1, #elf_magic) == elf_magic
end
-- Event parsing callback
function on_event()
    if evt.field(ftype) == syscallname and evt.field(fdir) == "<" then
        local content = evt.field(fcontent)
        print("------------------------")
        print(string.format("size : %d",#content))
        print("------------------------")
        if starts_with(content) == true then
            count = count + 1
            print(string.format("[+]Dumping elf number %d",count))
            local file_name = "elf_dump_" .. count
            local file = io.open(file_name, "w")
            if file then
                file:write(content)
                file:close()
            else
                print("Failed to open file for writing:", file_name)
            end
        end
    end

    return true
end
github-actions[bot] commented 3 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.