Re: [libpcap][patch] appending to a capture
Mark Johnston <markjdb <at> gmail.com>
2011-06-01 15:10:01 GMT
On Tue, May 31, 2011 at 03:53:22PM -0700, Darren Reed wrote:
> Hi Mark,
> I must admit that I don't see the point of this patch.
> A pcap data file, with packets in it, is something that
> I would create using tcpdump over a specific period
> of time. The data file is thus associated with a very
> specific set of actions. To then append data to that
> file without that data being associated with the
> original action seems wrong.
In my tree at work, the function in used in a program quite similar
to tcpflow. I agree that it doesn't make sense to cat the output of
multiple tcpdump sessions into a single capture file, but it depends on
what I want to do with the recorded packets... in my case they're used
by another program to replay captured flows, so the context in which
they were originally captured doesn't really matter.
> That said, I can also imagine people using this function
> and running into huge performance problems.
I don't see how that is. The function essentially does the following:
- Check if we're writing to stdout. If so, write a header and return.
- Open the file, read the header and make sure it matches the one passed
into the function.