Do not write pcap header to the named pipe.

kubeshark / tracer

The kernel tracer that attaches eBPF probes to containers for capturing TLS traffic

GNU General Public License v3.0

22 stars 6 forks source link

Do not write pcap header to the named pipe. #12

Closed bserdar closed 10 months ago

bserdar commented 11 months ago

This is to make worker start reading packets from an existing pcap file.

mertyildiran commented 10 months ago

The PCAP reader of sniffer container which opens the named pipe tls.pcap requires the file header to determine the first layer of the packets. The two containers start/restart together unless manually intervened and it should be fail safe. The file must be a valid PCAP file for the sake of clean implementation and debuggability.

alongir commented 10 months ago

Not sure it's connected. However, traffic that was successfully captured by the Tracer is not read by the Worker. @iluxa is on it: https://github.com/kubeshark/tracer/issues/14