Hi there, All I wonder is why tcpdump still hasn't any binary dump append feature.
A got some facts and thoughts: Implemetation of mentioned above feature is just a sligtly change to libcap's "savefile.c" ( i. e. addition of pcap_dump_open_append or add append flag to pcap_dump_open ( first won't break backward compatibiltiy) which will differ from original function in absence of sf_write_header procedure call, append write flags to fopen, check magic header, change position to end of old file ) and tcpdump's getopt parsing loop. All I need is solution that appends raw tcpdump packets to one file. I could made some crocks that will serve my current purpose ( e. g. $tcpdump <opts> -w - | magic_reaper >> old_dump ) and won't leave my work place, but I'd like to do some coding that will serve somebody else too. Here is the main troubles in addition of mentioned above capability in my own point of view: 1) Adding data to BIG file will slow down time, while tcpdump positioning at the end of old file so some packets will be dropped 2) All list is dreaming about new pcap format http://www.tcpdump.org/pcap/pcap.html Hmm, strange that i've found nearly one link ( http://www.tcpdump.org/lists/workers/2003/04/msg00248.html) and another on some russian forum where people discuss that problem. Thank you for you great work! -- Truly yours, Mikhail Manuilov - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
