3

I am looking for a reliable solution to do package capture for test automation.

Right now, tcpdump has been used with the following command.

sudo tcpdump -i ens160  -w filename.pcap -G 60 -W 1

I stop tcpdump with:

kill -s SIGINT <pid>

1 out of 20 time tcpdump fails to exit properly, and the pcap file will be damaged.

Is there any way to make sure tcpdump will exit properly?

Krisz
  • 285
  • 1
  • 4
  • 10

1 Answers1

1

There are two ways to avoid a truncated dump file:

  1. As suggested by Doug Smythies, use termination signal (SIGTERM) instead of SIGINT to kill the tcpdump process:

    kill <pid>

  2. Tell tcpdump to write packet directly to file as each packet is saved (option -U). This way, even using SIGINT, the file will not be truncated. From man tcpdump :

   -U
   --packet-buffered
          If the -w option is not specified, make the  printed  packet
          output  ``packet-buffered''; i.e., as the description of the
          contents of each packet is printed, it will  be  written  to
          the standard output, rather than, when not writing to a ter‐
          minal, being written only when the output buffer fills.

      If the -w option is specified, make  the  saved  raw  packet
      output  ``packet-buffered'';  i.e., as each packet is saved,
      it will be written to the output  file,  rather  than  being
      written only when the output buffer fills.

      The  -U flag will not be supported if tcpdump was built with
      an older version of libpcap that lacks the pcap_dump_flush()
      function.
Gohu
  • 386