tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: pipeline buffering

From: jedge <d1m_bu1b () yahoo com>
Date: Sat, 10 Mar 2012 12:01:20 -0800 (PST)
Thank you very much.
I searched high and low, and there it is right in front of my face.
Two letters away no less!! duh.


I suppose if you don't HAVE_PCAP_DUMP_FLUSH....

Thank you again. 

maybe for morons like me we can add a reference to -U in -w:
and since -U is conditional upon -w then it can be reflected in the usage.


SYNOPSIS
       tcpdump [ -AbdDefIKlLnNOpqRStuvxX ] [ -B buffer_size ] [ -c count ]
               [ -C file_size ] [ -G rotate_seconds ] [ -F file ]
               [ -i interface ] [ -m module ] [ -M secret ]
               [ -r file ] [ -s snaplen ] [ -T type ] [ -w file [-U]]  <<<<******
               [ -W filecount ]
               [ -E spi@ipaddr algo:secret,...  ]
               [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
               [ expression ]


...

      -w     Write the raw packets to file rather than parsing  and  printing
              them  out.  They can later be printed with the -r option.  Stan‐
              dard output is used if file is ``-''.  See -U to make output stream un-bufferred 
              or "packet buffered"See pcap-savefile(5)  for a description of the 

              file format.




________________________________
 From: Guy Harris <guy () alum mit edu>
To: tcpdump-workers () lists tcpdump org 
Sent: Saturday, March 10, 2012 2:26 PM
Subject: Re: [tcpdump-workers] pipeline buffering
 

On Mar 10, 2012, at 6:18 AM, jedge wrote:


When using the (-w) option in conjunction with the (-l) option,


Use it with the -U option instead:

$ man tcpdump

    ...

       -U     Make  output  saved via the -w option ``packet-buffered''; i.e.,
              as each packet is saved, it will be written to the output  file,
              rather than being written only when the output buffer fills.

              The  -U  flag will not be supported if tcpdump was built with an
              older version of libpcap that lacks the pcap_dump_flush()  func-
              tion.



I modified tcpdump.c near lines 822 (-i) and 956 (-w) to detect the need to flush stdout when utilizing the pipeline 
by adding
setvbuf(stdout, NULL, _IONBF, 0);


Non-buffered I/O is overkill - depending on how _IONBF is implemented, it could result in multiple write() calls being 
done per packet (one write call per byte in the worst case).-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: