Block errors when opening scap files from the kubectl capture plugin

[byrdog55]

adamantium:kubectl-capture jhayner$ /Applications/Sysdig\ Inspect.app/Contents/Resources/app/ember-electron/resources/sysdig/sysdig --version

sysdig version 0.26.1

adamantium:kubectl-capture jhayner$ file capture-1563982162.scap

capture-1563982162.scap: pcap-ng capture file - version 1.2

adamantium:kubectl-capture jhayner$ /Applications/Sysdig\ Inspect.app/Contents/Resources/app/ember-electron/resources/sysdig/sysdig -r capture-1563982162.scap

res = 1 event block length 17835928 greater than read buffer size 65536

I get the same results on a minimal-install of CentOS 7.6 and running the automatic installation.

uname -a
Linux prometheius@adamantium 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

sysdig --version

sysdig version 0.26.1

[jhayner@prometheius@adamantium ~]$ file capture-content-engineering-jenkins-worker-ephemeral-dedicated-07ccv-1564003390.scap

capture-content-engineering-jenkins-worker-ephemeral-dedicated-07ccv-1564003390.scap: pcap-ng capture file - version 1.2
[jhayner@prometheius@adamantium ~]$ sysdig -r capture-content-engineering-jenkins-worker-ephemeral-dedicated-07ccv-1564003390.scap

res = 1 event block length 17835928 greater than read buffer size 65536

Please also reference the following issues: https://github.com/draios/sysdig/issues/867 https://github.com/draios/sysdig-inspect/issues/58#issue-473071814

[michaelbannister]

Given this plugin has just been referenced in a recent blog post it would be nice if it could actually be fixed or the docs improved if that’s what’s required…