Wireshark-dev: Re: [Wireshark-dev] Dumpcap on the fly capture compression?

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Thu, 28 Sep 2017 10:47:03 +0100
On Wed, Sep 27, 2017 at 10:45:13AM +0000, Anders Broman wrote:
> Hi,
> https://www.google.se/search?q=compress+pcap+on+the+fly

Among the results is an enhancement for tcpdump:

https://github.com/the-tcpdump-group/tcpdump/pull/458

And also a bug which was apparently reported by me:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9311

> How difficult would it be to implement something like this in dumpcap
> and any pointers on things to consider?

tcpdump has a '-z' for rotation after switching pcaps, but as the Github
user reported, this is not sufficient if you have high traffic which can
easily be compressed.

Possible considerations:

- Security: I would not embed zlib or any other compression library in
  privileged dumpcap, let's write it to a pipe instead. This process
  should be executed after dropping privileges/capabilities.

- Performance: compression can be CPU extensive depending on the
  algorithm and its parameters, doing it in a separate process would
  relief the main dumpcap process and hopefully avoid packet drop. If
  people do CPU pinning for dumpcap, they might have to do this for the
  subprocess as well though.

- Flexibility: gzip seems well-supported, but perhaps others want to use
  xz or other formats.

Maybe in the future Wireshark (GUI) can also be extended to write
compressed, temporary files. This should be an option since it has a CPU
hit and increases latency.
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl