tcpdump mailing list archives

Re: [libpcap][patch] appending to a capture

From: Darren Reed <darren.reed () oracle com>
Date: Fri, 03 Jun 2011 15:13:13 -0700

On  1/06/11 08:10 AM, Mark Johnston wrote:

Hi Darren,

On Tue, May 31, 2011 at 03:53:22PM -0700, Darren Reed wrote:

Hi Mark,

I must admit that I don't see the point of this patch.

A pcap data file, with packets in it, is something that
I would create using tcpdump over a specific period
of time. The data file is thus associated with a very
specific set of actions. To then append data to that
file without that data being associated with the
original action seems wrong.

In my tree at work, the function in used in a program quite similar
to tcpflow. I agree that it doesn't make sense to cat the output of
multiple tcpdump sessions into a single capture file, but it depends on
what I want to do with the recorded packets... in my case they're used
by another program to replay captured flows, so the context in which
they were originally captured doesn't really matter.

That said, I can also imagine people using this function
and running into huge performance problems.

I don't see how that is. The function essentially does the following:

- Check if we're writing to stdout. If so, write a header and return.
- Open the file, read the header and make sure it matches the one passed
   into the function.
- If it does, lseek to EOF, and if the file was empty, write a header.
- Return the descriptor.

How could this cause a performance problem?


Because for every packet that is appended you need to do:
1. open(2)
2. read(2)
3. seek(2)
4. write(2)
5. close(2)

That's an awful lot of overhead to write 100 bytes out to a file.

My fear is that various people will see this function and end up usingit in place of the other functions in libpcap because they like the nameof this one.

Michael's idea of pcap_reopen() is much better. It supports everythingfrom doing a single packet write to multiple packets with only a singleopen/read/seek.


Darren

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Re: [libpcap][patch] appending to a capture, (continued)
- - Re: [libpcap][patch] appending to a capture rixed (Jun 01)
  - Re: [libpcap][patch] appending to a capture Mark Johnston (Jun 01)
    - Re: [libpcap][patch] appending to a capture Gerald Combs (Jun 01)
    - Re: [libpcap][patch] appending to a capture Michael Richardson (Jun 01)
    - Re: [libpcap][patch] appending to a capture Sam Roberts (Jun 01)
    - Re: [libpcap][patch] appending to a capture Michael Richardson (Jun 01)
    - Re: [libpcap][patch] appending to a capture Darren Reed (Jun 03)
    - Re: [libpcap][patch] appending to a capture Guy Harris (Jun 03)
    - Re: [libpcap][patch] appending to a capture Michael Richardson (Jun 04)
    - Re: [libpcap][patch] appending to a capture Aaron Turner (Jun 02)
    - Re: [libpcap][patch] appending to a capture Darren Reed (Jun 03)
    - Re: [libpcap][patch] appending to a capture Guy Harris (Jun 03)
    - Re: [libpcap][patch] appending to a capture Darren Reed (Jun 03)
    - Re: [libpcap][patch] appending to a capture Mark (Jun 04)