From 46289df6bc8f573bc01be4fb4aa93343ecc6d50a Mon Sep 17 00:00:00 2001 From: Tobias Klauser Date: Mon, 27 Apr 2015 10:50:14 +0200 Subject: netsniff-ng: Rotate pcap files prematurely on SIGHUP Allow to send SIGHUP to a running netsniff-ng process, causing it to prematurely rotate the output PCAP when the output device (-o/--out) is a directory. The rotating interval (time/file size) will be reset. Suggested by dcode in #140 Signed-off-by: Tobias Klauser --- netsniff-ng.8 | 14 ++++++++------ netsniff-ng.c | 34 +++++++++++++++++++++++++--------- 2 files changed, 33 insertions(+), 15 deletions(-) diff --git a/netsniff-ng.8 b/netsniff-ng.8 index 82c0f78..31c4907 100644 --- a/netsniff-ng.8 +++ b/netsniff-ng.8 @@ -77,12 +77,14 @@ a folder, a trafgen(8) configuration file or stdout (\[lq]-\[rq]). In the case o file that should not have the default pcap type (0xa1b2c3d4), the additional option \[lq]\-T\[rq] must be provided. If a directory is given, then, instead of a single pcap file, multiple pcap files are generated with rotation based on -maximum file size or a given interval (\[lq]\-F\[rq] option). A trafgen configuration -file can currently only be specified if the input device is a pcap file. To -specify a pcap file as the output device, the file name must have -\[lq].pcap\[rq] as its extension. If stdout is given as a device, then a trafgen -configuration will be written to stdout if the input device is a pcap file, or a -pcap file if the input device is a networking device. +maximum file size or a given interval (\[lq]\-F\[rq] option). Optionally, +sending the SIGHUP signal to the netsniff-ng process causes a premature rotation +of the file. A trafgen configuration file can currently only be specified if the +input device is a pcap file. To specify a pcap file as the output device, the +file name must have \[lq].pcap\[rq] as its extension. If stdout is given as a +device, then a trafgen configuration will be written to stdout if the input +device is a pcap file, or a pcap file if the input device is a networking +device. .PP .SS -C , --fanout-group If multiple netsniff-ng instances are being started that all have the same packet diff --git a/netsniff-ng.c b/netsniff-ng.c index ee9dc38..2b9732e 100644 --- a/netsniff-ng.c +++ b/netsniff-ng.c @@ -66,7 +66,7 @@ struct ctx { uint32_t fanout_group, fanout_type; }; -static volatile sig_atomic_t sigint = 0; +static volatile sig_atomic_t sigint = 0, sighup = 0; static volatile bool next_dump = false; static const char *short_options = "d:i:o:rf:MNJt:S:k:n:b:HQmcsqXlvhF:RGAP:Vu:g:T:DBUC:K:L:"; @@ -134,7 +134,10 @@ static void signal_handler(int number) case SIGQUIT: case SIGTERM: sigint = 1; + break; case SIGHUP: + sighup = 1; + break; default: break; } @@ -739,6 +742,18 @@ static int next_multi_pcap_file(struct ctx *ctx, int fd) return fd; } +static void reset_interval(struct ctx *ctx) +{ + if (ctx->dump_mode == DUMP_INTERVAL_TIME) { + interval = ctx->dump_interval; + + set_itimer_interval_value(&itimer, interval, 0); + setitimer(ITIMER_REAL, &itimer, NULL); + } else { + interval = 0; + } +} + static int begin_multi_pcap_file(struct ctx *ctx) { int fd, ret; @@ -765,14 +780,7 @@ static int begin_multi_pcap_file(struct ctx *ctx) panic("Error prepare writing pcap!\n"); } - if (ctx->dump_mode == DUMP_INTERVAL_TIME) { - interval = ctx->dump_interval; - - set_itimer_interval_value(&itimer, interval, 0); - setitimer(ITIMER_REAL, &itimer, NULL); - } else { - interval = 0; - } + reset_interval(ctx); return fd; } @@ -852,6 +860,14 @@ static void update_pcap_next_dump(struct ctx *ctx, unsigned long snaplen, int *f } } + if (sighup) { + if (ctx->verbose) + printf("SIGHUP received, prematurely rotating pcap\n"); + sighup = 0; + next_dump = true; + reset_interval(ctx); + } + if (next_dump) { *fd = next_multi_pcap_file(ctx, *fd); next_dump = false; -- cgit v1.2.3-54-g00ecf