travelping / docker-pcap Goto Github PK

Capturing multiple interfaces should be supported, i.e. a list of interfaces is passed as config in environment and each of the interfaces is captured.

Two options:
a) One capture file per interface
b) One capture file with traffic of all interfaces

Replacing tcpdump with dumpcap might be helpful.

As tshark is used now, extended filter syntax can be used (tshark read filter). It should be allowed to pass an extended filter as option to the container in addition to the pcap filter. The pcap filter should always be applied for efficiency. The extended filter should only apply if given as argument.

From dumpcap man page regarding -f <capture filter>:

This option can occur multiple times. If used before the first occurrence of the -i option, it sets the default capture filter expression. If used after an -i option, it sets the capture filter expression for the interface specified by the last -i option occurring before this option. If the capture filter expression is not set specifically, the default capture filter expression is used if provided.

Hence, the filter expression must precede the interfaces. Having different filters per interface must not be supported by this container, IMHO. If I want to trace different stuff on different interface, I would run this container several times.

It should be possible to truncate captured packets by supporting the -s <snaplen> option.

In addition to MAXFILESIZE and MAXFILENUM , also the duration option of tshark (also availbale in dumpcap) should be supported. Capture files can rotate on e.g. daily, even if not filled up.

The MAXFILESIZE and MAXFILENUM envrionment variables are defined, but not considered when running the container as the values are hard-coded in the Dockerfile.

In latest manual the capture rotation option -b also supports an interval option to extend the duration attribute and streamline the rotation of file, i.e. to always rotate at 00:00 and 12:00.

Update the dumpcap/tshark to a version supporting this feature.

While tcpdump used MB as unit, tshark is using kB. Hence, at present the MAXFILESIZE parameter is not applied correctly. That parameter should stick to MB, but the tshark parameter must be set accordingly.

Optionally, uploading trace files to an S3 bucket should be supported.

The file prefix to be used should be configurable.

If capture files from different hosts are collected, there is a name clash at present, so all files need to be manually renamed. Configuring a filename prefix would already create appropriate names for the capture files.