Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure that tcpdump is stopped before copying pcap file to GCS in the event of a SIGTERM is received #17

Closed
thomasmburke opened this issue Sep 11, 2024 · 3 comments
Closed

Ensure that tcpdump is stopped before copying pcap file to GCS in the event of a SIGTERM is received #17

thomasmburke opened this issue Sep 11, 2024 · 3 comments
Assignees
@gchux
Labels
enhancement New feature or request

Comments

@thomasmburke
Copy link
Collaborator

Users have encountered The capture file appears to have been cut short in the middle of a packet when trying to look at pcaps we flushed at the time a SIGTERM is received in Wireshark

tcpdump writes the pcap file in blocks of a certain size. This means that during the capturing, the file ends in the middle of a packet. This is because we copy the file while tcpdump is still capturing, the last packet in the file will not be completely written yet, hence the error message in Wireshark.

If we stop tcpdump before copying the file, the remaining buffer will be written to disk and all packets will be complete.

The solution in #16 flushes bytes upon receiving SIGTERM, but currently fails to stop tcpdump before doing so. We should ensure tcpdumpw stops the tcpdump capture before we attempt to flush bytes to GCS in pcapfsn
@thomasmburke thomasmburke added the enhancement New feature or request label Sep 11, 2024
@gchux
Copy link
Owner

gchux commented Sep 11, 2024
edited
Loading

fixing with the following changes: d6d0404

important parts:

IMPORTANT NOTES:

  • tcpdump will be immediately stopped ( this is what we want for wireshark )
  • jsondump will be immediately stopped but it may be delayed if there are too many packets queued/pending to be translated (which is specially noticeable with low CPU allocations), so it is VERY IMPORTANT to define well scoped BPF filters to capture only the required traffic and nothing else; i/e: tcp or udp or tcp are, in general, SLOW filters.
  • here's a sample using the BPF filter tcp or udp where packets captured from ipvlan-eth0 were not done being translated after 3s, and so pcap_fsn flushed without waiting for the signal from tcpdumpw:

image

  • and here's a sample using BPF filter tcp port 8080 where all engines ( tcpdump and gopacket/jsondump ) were stopped immediately:

image

@gchux gchux self-assigned this Sep 11, 2024
@gchux
Copy link
Owner

gchux commented Sep 11, 2024

available at ghcr.io/gchux/cloud-run-tcpdump:v1.0.60-RC6

@gchux
Copy link
Owner

gchux commented Sep 13, 2024

fixed with: https://github.com/gchux/cloud-run-tcpdump/releases/tag/v1.0.60

@gchux gchux closed this as completed Sep 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gchux gchux

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thomasmburke @gchux