Re: Compression support

[Ray Bellis <ray () bellis me uk>]

On 09/06/2017 14:07, Ray Bellis wrote:

> My modified libpcap is at:
>
> <https://github.com/raybellis/libpcap/tree/raybellis-gzip>
>
> This so far only supports file reading. I don't expect file writing to
> be difficult.

I've now added file writing support too.

One complication is that many lipcap applications don't explicitly close
the dump with pcap_dump_close() (c.f. this *very* old posting from 2003
-
<https://www.mail-archive.com/tcpdump-workers () sandelman ottawa on ca/msg01656.html>)
and instead rely on the operating system's implicit close-file-on-exit
semantics.

I therefore had to extend the plugin architecture to add an atexit()
handler that closes any virtual FILE* that's still open since they're
not backed by real file handles.

(Now that I think about that further, though, I wonder whether it would
be better for the core libpcap to take care of that for _any_ dump file
that's still open for writing on exit)

I do still have an open issue on how to handle pcap_dump_open_append()
since some compression libraries may not support opening files in "+"
update mode (zlib doesn't, for example).

Ray
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers