tcpdump mailing list archives
Feature request: time limits
From: Rob Quinn <rquinn () pobox com>
Date: Mon, 20 Oct 2003 12:22:07 -0400
I'd like a time limit flag for tcpdump. For instance 'tcpdump -c 10000 -T 0.5' would exit after 10000 packets, or 500ms, whichever comes first. Super precision on the time isn't required. A finite time limit is critical. Background: I'm collecting network samples from several sensors. On the busy sensors, '-c 10000' is guaranteed to finish in a few 10's of seconds. On other sensors, '-c 500' can run for minutes without finishing. Unfortunately, due to a squirrelly firewall product from a vendor I won't name, the longer tcpdump runs the greater the chance the whole machine will lock up tight. This makes the firewall owner unhappy. See patches below for a sample implementation with ualarm and SIGALRM. Since the -T flag is already gone, I used '-Q'. I followed the SIGTERM/SIGINT examples, but the whole think strikes me as questionable. Is there a chance the logfile will be garbled? Are all of the packets really getting flushed to the logfile? ps - on the www.tcpdump.org web page, the "archive" link under "Mailing lists" only shows emails up to Dec 2002. Patch against my NetBSD-current tcpdump, which might be a little different from stock 3.7.1: Index: tcpdump.c =================================================================== RCS file: /cvsroot/src/dist/tcpdump/tcpdump.c,v retrieving revision 1.6 diff -c -r1.6 tcpdump.c *** tcpdump.c 2002/09/22 16:59:16 1.6 --- tcpdump.c 2003/10/20 16:16:06 *************** *** 302,307 **** --- 302,308 ---- struct dump_info dumpinfo; u_char *pcap_userdata; char ebuf[PCAP_ERRBUF_SIZE]; + useconds_t timelimit=0; cnt = -1; device = NULL; *************** *** 322,328 **** opterr = 0; while ( ! (op = getopt(argc, argv, "aAc:C:dD:eE:fF:i:lLm:nNOpqr:Rs:StT:uvw:xXY")) != -1) switch (op) { case 'a': --- 323,329 ---- opterr = 0; while ( ! (op = getopt(argc, argv, "aAc:C:dD:eE:fF:i:lLm:nNOpQ:qr:Rs:StT:uvw:xXY")) != -1) switch (op) { case 'a': *************** *** 429,434 **** --- 430,440 ---- ++pflag; break; + case 'Q': + timelimit = (useconds_t)(1000000.0 * atof(optarg)); + if (timelimit < 0) + error("invalid timelimit %s", optarg); + break; case 'q': ++qflag; break; *************** *** 588,593 **** --- 594,600 ---- (void)setsignal(SIGTERM, cleanup); (void)setsignal(SIGINT, cleanup); + (void)setsignal(SIGALRM, cleanup); /* Cooperate with nohup(1) */ if ((oldhandler = setsignal(SIGHUP, cleanup)) != SIG_DFL) (void)setsignal(SIGHUP, oldhandler); *************** *** 620,632 **** --- 627,651 ---- program_name, device); (void)fflush(stderr); } + if(timelimit>=0 && ((useconds_t) -1)==ualarm(timelimit,0)) + { + (void)fprintf(stderr,"%s: error setting alarm.\n",program_name); + (void)fflush(stderr); + pcap_close(pd); + exit(1); + } + if (pcap_loop(pd, cnt, printer, pcap_userdata) < 0) { (void)fprintf(stderr, "%s: pcap_loop: %s\n", program_name, pcap_geterr(pd)); + if(timelimit>0) + (void)ualarm(0,0); cleanup(0); pcap_close(pd); exit(1); } + if(timelimit>0) + (void)ualarm(0,0); if (RFileName == NULL) info(1); pcap_close(pd); - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Feature request: time limits Rob Quinn (Oct 20)
- Re: Feature request: time limits Guy Harris (Nov 03)
- Re: Feature request: time limits Guy Harris (Nov 03)
- Re: Feature request: time limits Rob Quinn (Nov 05)
- Re: Feature request: time limits Guy Harris (Nov 05)
- Re: Feature request: time limits Guy Harris (Nov 03)