Open xtaran opened 6 months ago
Writing pcap's has been requested multiple times, I think I'd like to understand the use-case more:
Do you want one singular pcap file that sniffglue writes to until terminated? In theory you can currently keep sniffglue running indefinitely, but when writing pcaps you'd eventually run out of disk unless you terminate and restart sniffglue periodically. During startup sniffglue discards access to the file system (depending on the operating system, using pledge and unveil, or by doing a combination of chroot then removing the processes chroot capabilities). Because of this, it's possible to open a file to write to during startup, but features like "log rotation" for pcaps can't be implemented because the process may close open files but not open any new ones.
I hesitated because of this, and that's why I'm asking if writing to a singular file would be sufficient for your use-case.
I'd like to understand the use-case more
Maybe I can explain it the other way round: Due to its threadedness and the use of seccomp I had a look at sniffglue
as a potential tcpdump
replacement, also because we occasionally had performance issues with with tcpdump
(usually on > 10 GBit/s interfaces) and more threads sounded like a way to get around that these issues.
Common use cases where I want to save a PCAP file:
tcpdump
with rather narrow filters for capturing occurrences of really rare situations (like situations which appear only every other week, etc.)tcpdump
for e.g. 5 minutes, then restart tcpdump
and while the next round of tcpdump
is running SNORT analyses the captured 5-minute-pcap-file in parallel with different rule sets in each SNORT process. (Advantage is that you have to capture it only once instead of once per SNORT process respectively rule set.)tcpdump -c 1000 -w file.pcap "some pcapfilter rule"
to let tcpdump
run until it captured 1000 examples, wait for it to finish and then I hopefully have enough different examples to understand what's going on. (Actually I just noticed that sniffglue
doesn't seem to support PCAP filters either so far. But this is only needed for some of these scenarios.)
It's nice to see a threaded packet sniffer with seccomp. But it seems to lack a possibility to dump the captured packets onto disk.
Is this something on the roadmap? Or totally out of scope? Or already there and just not documented?