Wireshark-dev: [Wireshark-dev] Dumpcap, reporting closed file
I am interested in making dumpcap report when it closes a file, so
that another utility can start to parse the file. This would be
especially useful in multiple files/ringbuffer mode.
I've played with the -Z option after finding it in the code but it
still only reports when the next file is opened. I could script and
buffer the last filename but this wouldn't work so well when dumpcap
is closing. i.e. dumpcap closes and EOF is set, but we don't know if
there was an error condition (so should we process the last file or
not?).
If dumpcap could report that a file was successfully closed this would
be easier. I have so far modified the code to report on exit (^C) by
adding a function report_closed_capture_file, in the same way that
report_new_capture_file works. This has the benefit of working in
capture child mode too.
This doesn't work in ring buffer mode though. I see
ringbuf_switch_file in two places in dumpcap.c. This returns
successfully if the file switch succeeds, but by this point we do not
know the last filename.
So my question is as follows: is it worth modifying dumpcap to have
this function? Or has somebody already written a script/program to do
the same? If there's a better way to achieve this, I would be happy
to hear about it.
Thanks,
David
