Should have an option to dump captured packets as .pcap file

[xtaran]

It's nice to see a threaded packet sniffer with seccomp. But it seems to lack a possibility to dump the captured packets onto disk.

Is this something on the roadmap? Or totally out of scope? Or already there and just not documented?

[kpcyrd]

Writing pcap's has been requested multiple times, I think I'd like to understand the use-case more:

Do you want one singular pcap file that sniffglue writes to until terminated? In theory you can currently keep sniffglue running indefinitely, but when writing pcaps you'd eventually run out of disk unless you terminate and restart sniffglue periodically. During startup sniffglue discards access to the file system (depending on the operating system, using pledge and unveil, or by doing a combination of chroot then removing the processes chroot capabilities). Because of this, it's possible to open a file to write to during startup, but features like "log rotation" for pcaps can't be implemented because the process may close open files but not open any new ones.

I hesitated because of this, and that's why I'm asking if writing to a singular file would be sufficient for your use-case.

[xtaran]

I'd like to understand the use-case more

Maybe I can explain it the other way round: Due to its threadedness and the use of seccomp I had a look at sniffglue as a potential tcpdump replacement, also because we occasionally had performance issues with with tcpdump (usually on > 10 GBit/s interfaces) and more threads sounded like a way to get around that these issues.

Common use cases where I want to save a PCAP file:

• Capture now, analyse later.
• Capture on a different host and later have a detailed look at it with Wireshark on another host.
• Permanently running tcpdump with rather narrow filters for capturing occurrences of really rare situations (like situations which appear only every other week, etc.)
• Some SNORT setups run tcpdump for e.g. 5 minutes, then restart tcpdump and while the next round of tcpdump is running SNORT analyses the captured 5-minute-pcap-file in parallel with different rule sets in each SNORT process. (Advantage is that you have to capture it only once instead of once per SNORT process respectively rule set.)
• For replaying captured traffic.
• I often use something like tcpdump -c 1000 -w file.pcap "some pcapfilter rule" to let tcpdump run until it captured 1000 examples, wait for it to finish and then I hopefully have enough different examples to understand what's going on. (Actually I just noticed that sniffglue doesn't seem to support PCAP filters either so far. But this is only needed for some of these scenarios.)
• Keeping a proof of a weird network situation. (You might know that saying "PCAP or it didn't happen!" 😉)