dumpcap, save to text file and line separated

Question

I'm trying to build a solution where dumpcap saves to text file in the format:

timestamp_as_detailed_as_possible, HEX-raw-packet

My goal is to have this continuously streaming each single data packet to the file, separated by newline.

2 questions?:

• Is it possible for dumpcap to take care of fragmented packets, so I'm guaranteed each line contains 1 single full packet?

• Is it OK to have another thread afterwards running and reading lines from the same file, do something with the data and then delete the line when processed - without this interfering with dumpcap?

Answer 1

I'm trying to build a solution where dumpcap saves to text file

Dumpcap doesn't save to text files, it saves to binary pcap or pcapng files.

You might want to consider using tcpdump instead, although you'd have to pipe it to a separate program/script to massage its output into the format you want.

Answer 2

Is it OK to have another thread afterwards running and reading lines from the same file, do something with the data and then delete the line when processed - without this interfering with dumpcap?

No. But this is the wrong approach. A pipe is actually what you should use here, i.e. dumpcap writing to a pipe and the analyzing process reading from it, i.e.

dumpcap -w - | analyzer

Is it possible for dumpcap to take care of fragmented packets, so I'm guaranteed each line contains 1 single full packet?

No, and it is also unclear here what exactly you expect. Usually there is no fragmentation done at the IP level and all since TCP tries to adjust the packet size to not be larger than the MTU anyway. And TCP should be treated as a byte stream only, i.e. don't expect anything you send to end up in a single packet or that multiple send will actually result in multiple packets.