Hello everyone, I am looking for a way to force tcpdump flush Linux OS buffer before terminating. I have checked the man page and the mailing list archives but did not manage to find anything related.
When I terminate tcpdump process with SIGINT or SIGTERM, the process quits immediately, leaving packets in the buffer. I know that the signal USR2 forces the buffer to be flushed, but it does stop filling the buffer and the process remains active. I have to use a very big buffer with a very slow storage, much slower than the rate of coming packets received by the filter, and it is preferred not to lose a single packet after initiating termination the process. There are a few options to overcome the problem. For example, by dumping packets to the memory storage first (e.g. /dev/shm) or to keep the process active for sufficient amount of time after was is decided to stop the activity. Still, I wonder if this can be done by tcpdump itself. I was checking the behaviour using Linux kernel version 6.11.3 and tcpdump/libpcap version 4.99.5/1.10.5. Thank you. Regards, Garri _______________________________________________ tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
