tcpdump mailing list archives
Feature request: time limits
From: Rob Quinn <rquinn () pobox com>
Date: Mon, 20 Oct 2003 12:22:07 -0400
I'd like a time limit flag for tcpdump. For instance 'tcpdump -c 10000 -T
0.5' would exit after 10000 packets, or 500ms, whichever comes first. Super
precision on the time isn't required. A finite time limit is critical.
Background: I'm collecting network samples from several sensors. On the busy
sensors, '-c 10000' is guaranteed to finish in a few 10's of seconds. On other
sensors, '-c 500' can run for minutes without finishing. Unfortunately, due to
a squirrelly firewall product from a vendor I won't name, the longer tcpdump
runs the greater the chance the whole machine will lock up tight. This makes
the firewall owner unhappy.
See patches below for a sample implementation with ualarm and SIGALRM. Since
the -T flag is already gone, I used '-Q'. I followed the SIGTERM/SIGINT
examples, but the whole think strikes me as questionable. Is there a chance
the logfile will be garbled? Are all of the packets really getting flushed to
the logfile?
ps - on the www.tcpdump.org web page, the "archive" link under "Mailing lists"
only shows emails up to Dec 2002.
Patch against my NetBSD-current tcpdump, which might be a little different
from stock 3.7.1:
Index: tcpdump.c
===================================================================
RCS file: /cvsroot/src/dist/tcpdump/tcpdump.c,v
retrieving revision 1.6
diff -c -r1.6 tcpdump.c
*** tcpdump.c 2002/09/22 16:59:16 1.6
--- tcpdump.c 2003/10/20 16:16:06
***************
*** 302,307 ****
--- 302,308 ----
struct dump_info dumpinfo;
u_char *pcap_userdata;
char ebuf[PCAP_ERRBUF_SIZE];
+ useconds_t timelimit=0;
cnt = -1;
device = NULL;
***************
*** 322,328 ****
opterr = 0;
while (
! (op = getopt(argc, argv, "aAc:C:dD:eE:fF:i:lLm:nNOpqr:Rs:StT:uvw:xXY")) != -1)
switch (op) {
case 'a':
--- 323,329 ----
opterr = 0;
while (
! (op = getopt(argc, argv, "aAc:C:dD:eE:fF:i:lLm:nNOpQ:qr:Rs:StT:uvw:xXY")) != -1)
switch (op) {
case 'a':
***************
*** 429,434 ****
--- 430,440 ----
++pflag;
break;
+ case 'Q':
+ timelimit = (useconds_t)(1000000.0 * atof(optarg));
+ if (timelimit < 0)
+ error("invalid timelimit %s", optarg);
+ break;
case 'q':
++qflag;
break;
***************
*** 588,593 ****
--- 594,600 ----
(void)setsignal(SIGTERM, cleanup);
(void)setsignal(SIGINT, cleanup);
+ (void)setsignal(SIGALRM, cleanup);
/* Cooperate with nohup(1) */
if ((oldhandler = setsignal(SIGHUP, cleanup)) != SIG_DFL)
(void)setsignal(SIGHUP, oldhandler);
***************
*** 620,632 ****
--- 627,651 ----
program_name, device);
(void)fflush(stderr);
}
+ if(timelimit>=0 && ((useconds_t) -1)==ualarm(timelimit,0))
+ {
+ (void)fprintf(stderr,"%s: error setting alarm.\n",program_name);
+ (void)fflush(stderr);
+ pcap_close(pd);
+ exit(1);
+ }
+
if (pcap_loop(pd, cnt, printer, pcap_userdata) < 0) {
(void)fprintf(stderr, "%s: pcap_loop: %s\n",
program_name, pcap_geterr(pd));
+ if(timelimit>0)
+ (void)ualarm(0,0);
cleanup(0);
pcap_close(pd);
exit(1);
}
+ if(timelimit>0)
+ (void)ualarm(0,0);
if (RFileName == NULL)
info(1);
pcap_close(pd);
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Feature request: time limits Rob Quinn (Oct 20)
- Re: Feature request: time limits Guy Harris (Nov 03)
- Re: Feature request: time limits Guy Harris (Nov 03)
- Re: Feature request: time limits Rob Quinn (Nov 05)
- Re: Feature request: time limits Guy Harris (Nov 05)
- Re: Feature request: time limits Guy Harris (Nov 03)