On Wed, Sep 27, 2017 at 10:45:13AM +0000, Anders Broman wrote: > Hi, > https://www.google.se/search?q=compress+pcap+on+the+fly
Among the results is an enhancement for tcpdump: https://github.com/the-tcpdump-group/tcpdump/pull/458 And also a bug which was apparently reported by me: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9311 > How difficult would it be to implement something like this in dumpcap > and any pointers on things to consider? tcpdump has a '-z' for rotation after switching pcaps, but as the Github user reported, this is not sufficient if you have high traffic which can easily be compressed. Possible considerations: - Security: I would not embed zlib or any other compression library in privileged dumpcap, let's write it to a pipe instead. This process should be executed after dropping privileges/capabilities. - Performance: compression can be CPU extensive depending on the algorithm and its parameters, doing it in a separate process would relief the main dumpcap process and hopefully avoid packet drop. If people do CPU pinning for dumpcap, they might have to do this for the subprocess as well though. - Flexibility: gzip seems well-supported, but perhaps others want to use xz or other formats. Maybe in the future Wireshark (GUI) can also be extended to write compressed, temporary files. This should be an option since it has a CPU hit and increases latency. -- Kind regards, Peter Wu https://lekensteyn.nl ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe