Wireshark · Wireshark-dev: [Wireshark-dev] Dumpcap, reporting closed file

[David <lists@xxxxxxxxx>]

I am interested in making dumpcap report when it closes a file, so  
that another utility can start to parse the file.  This would be  
especially useful in multiple files/ringbuffer mode.

I've played with the -Z option after finding it in the code but it  
still only reports when the next file is opened.  I could script and  
buffer the last filename but this wouldn't work so well when dumpcap  
is closing.  i.e. dumpcap closes and EOF is set, but we don't know if  
there was an error condition (so should we process the last file or  
not?).

If dumpcap could report that a file was successfully closed this would  
be easier.  I have so far modified the code to report on exit (^C) by  
adding a function report_closed_capture_file, in the same way that  
report_new_capture_file works.  This has the benefit of working in  
capture child mode too.

This doesn't work in ring buffer mode though.  I see  
ringbuf_switch_file in two places in dumpcap.c.  This returns  
successfully if the file switch succeeds, but by this point we do not  
know the last filename.

So my question is as follows: is it worth modifying dumpcap to have  
this function?  Or has somebody already written a script/program to do  
the same?  If there's a better way to achieve this, I would be happy  
to hear about it.

Thanks,

David