[tcpdump-workers] Fwd: Tcpdump circular ring buffer modification

Tugrul Erdogan h.tugrul.erdogan at gmail.com
Tue Jul 28 04:25:12 EDT 2015


Hi All,

I am using libpcap-1.7.3 version and tcpdump-4.1.1 version. I need to
record traffic of an interface. So I am planning to use tcpdump with "-W 6
-G 10" parameters for the last one minute recording.

But the tcpdump process exiting after recording sixth pcap file, whereas I
need to an endless recording process of ringbuf by removing the oldest pcap
file before each new pcap file to be able to limit the disk area of ring
buffer.

To solve this problem I can write a script and restart a new ring buffer
recorder tcpdump at each minute after the current one exited; but on each
restart attempt, process creating and waiting for record time cause to
packet drops on ring buffer.

So I have examined the exiting section of source code of the tcpdump on
"tcpdump.c" file (where just below of
"/*
             * Check to see if we've exceeded the Wflag (when
             * not using Cflag).
             */
"
section.).

Firstly I am planning to disable exiting code inside "Wflag" number files
control. And secondly I am planning to keep "WFileName" file names on a
circular queue structure which can store maksimum "Wflag" number strings at
any time. I will use this older "WFileName"  strings to be able to remember
the oldest pcap file and so delete it from directory. When remove the
oldest "WFileName" from directory I will remove it's name from the circular
queue too.

So I want to take your reviews about this modification should I do or not.
Thank you.

Best regards,
Tugrul


More information about the tcpdump-workers mailing list