On Wed, Sep 27, 2017 at 10:45:13AM +0000, Anders Broman wrote:
> Hi,
> https://www.google.se/search?q=compress+pcap+on+the+fly
Among the results is an enhancement for tcpdump:
https://github.com/the-tcpdump-group/tcpdump/pull/458
And also a bug which was apparently reported by me:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9311
> How difficult would it be to implement something like this in dumpcap
> and any pointers on things to consider?
tcpdump has a '-z' for rotation after switching pcaps, but as the Github
user reported, this is not sufficient if you have high traffic which can
easily be compressed.
Possible considerations:
- Security: I would not embed zlib or any other compression library in
privileged dumpcap, let's write it to a pipe instead. This process
should be executed after dropping privileges/capabilities.
- Performance: compression can be CPU extensive depending on the
algorithm and its parameters, doing it in a separate process would
relief the main dumpcap process and hopefully avoid packet drop. If
people do CPU pinning for dumpcap, they might have to do this for the
subprocess as well though.
- Flexibility: gzip seems well-supported, but perhaps others want to use
xz or other formats.
Maybe in the future Wireshark (GUI) can also be extended to write
compressed, temporary files. This should be an option since it has a CPU
hit and increases latency.
--
Kind regards,
Peter Wu
https://lekensteyn.nl
