Wireshark
the world's foremost network protocol analyzer
Wireshark-dev: [Wireshark-dev] Dumpcap, reporting closed file
From: David <lists@xxxxxxxxx>
Date: Wed, 04 Feb 2009 14:59:29 +0000
I am interested in making dumpcap report when it closes a file, so that another utility can start to parse the file. This would be especially useful in multiple files/ringbuffer mode.
I've played with the -Z option after finding it in the code but it still only reports when the next file is opened. I could script and buffer the last filename but this wouldn't work so well when dumpcap is closing. i.e. dumpcap closes and EOF is set, but we don't know if there was an error condition (so should we process the last file or not?).
If dumpcap could report that a file was successfully closed this would be easier. I have so far modified the code to report on exit (^C) by adding a function report_closed_capture_file, in the same way that report_new_capture_file works. This has the benefit of working in capture child mode too.
This doesn't work in ring buffer mode though. I see ringbuf_switch_file in two places in dumpcap.c. This returns successfully if the file switch succeeds, but by this point we do not know the last filename.
So my question is as follows: is it worth modifying dumpcap to have this function? Or has somebody already written a script/program to do the same? If there's a better way to achieve this, I would be happy to hear about it.
Thanks, David
- Prev by Date: Re: [Wireshark-dev] compare two capture files and io graph
- Next by Date: Re: [Wireshark-dev] explicitly stop capture with Tshark
- Previous by thread: [Wireshark-dev] Import from text file
- Next by thread: [Wireshark-dev] Runtime error after a few hours of running
- Index(es):