What is the main reason in absent append capabilities of tcpdump and libpcap?

[Mikhail Manuylov <mikhail.manuilov () gmail com>]

Hi there,

All I wonder is why tcpdump still hasn't any binary dump append feature.

A got some facts and thoughts:
Implemetation of mentioned above feature is just a sligtly change to
libcap's "savefile.c"
( i. e. addition of pcap_dump_open_append or add append flag to
pcap_dump_open
( first won't break backward compatibiltiy)  which will differ from original
function in absence
of sf_write_header procedure call, append write flags to fopen, check magic
header, change
 position to end of old file ) and tcpdump's getopt parsing loop.

All I need is solution that appends raw tcpdump packets to one file.
I could made some crocks that will serve my current purpose ( e. g. $tcpdump
<opts> -w - | magic_reaper >> old_dump ) and won't leave my
work place, but I'd like to do some coding that will serve somebody else
too.

Here is the main troubles in addition of mentioned above capability in my
own point of view:

1) Adding data to BIG file will slow down time, while tcpdump positioning at
the end of old file so some packets will be dropped
2) All list is dreaming about new pcap format
http://www.tcpdump.org/pcap/pcap.html

Hmm, strange that i've found nearly one link (
http://www.tcpdump.org/lists/workers/2003/04/msg00248.html) and another on
some russian forum
where people discuss that problem.

Thank you for you great work!

--
Truly yours, Mikhail Manuilov
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.