[tcpdump-workers] Re: Flush OS buffer before termination
On Oct 19, 2024, at 5:01 PM, Garri Djavadyan wrote: > I am looking for a way to force tcpdump flush Linux OS buffer before > terminating. I have checked the man page and the mailing list archives > but did not manage to find anything related. > > When I terminate tcpdump process with SIGINT or SIGTERM, the process > quits immediately, leaving packets in the buffer. I know that the > signal USR2 forces the buffer to be flushed, but it does stop filling > the buffer and the process remains active. > > I have to use a very big buffer with a very slow storage, much slower > than the rate of coming packets received by the filter, and it is > preferred not to lose a single packet after initiating termination the > process. OK, so is the buffer to which you're referring the buffer that holds captured packets for tcpdump to read, i.e. the *input* buffer for tcpdump, rather than, for example, the standard I/O buffer containing packet dissection text to be printed or the I/O buffer containing packets to be written to the file specified by -w, i.e. an *output* buffer for tcpdump? ___ tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[tcpdump-workers] Flush OS buffer before termination
Hello everyone, I am looking for a way to force tcpdump flush Linux OS buffer before terminating. I have checked the man page and the mailing list archives but did not manage to find anything related. When I terminate tcpdump process with SIGINT or SIGTERM, the process quits immediately, leaving packets in the buffer. I know that the signal USR2 forces the buffer to be flushed, but it does stop filling the buffer and the process remains active. I have to use a very big buffer with a very slow storage, much slower than the rate of coming packets received by the filter, and it is preferred not to lose a single packet after initiating termination the process. There are a few options to overcome the problem. For example, by dumping packets to the memory storage first (e.g. /dev/shm) or to keep the process active for sufficient amount of time after was is decided to stop the activity. Still, I wonder if this can be done by tcpdump itself. I was checking the behaviour using Linux kernel version 6.11.3 and tcpdump/libpcap version 4.99.5/1.10.5. Thank you. Regards, Garri ___ tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
