Bugfix: make sure pcapng header is always written

If a capture is stopped before the pcapng header is written, when starting a new capture Wireshark does not open the control input pipe for writing which causes our extcap to hang when trying to open it.
aquasecurity · May 28, 2024 · 4ebbfd5 · 4ebbfd5
1 parent 520976d
commit 4ebbfd5
Showing 1 changed file with 5 additions and 7 deletions.
diff --git a/extcap/tracee-capture.py b/extcap/tracee-capture.py
@@ -5,7 +5,7 @@
 import argparse
 from ctypes import cdll, byref, create_string_buffer
 import os
-import select
+from select import select
 import shutil
 import signal
 import socket
@@ -492,7 +492,9 @@ def _init_pcapng(self) -> pcapng.FileWriter:
         )
 
         with self._lock:
-            return pcapng.FileWriter(self._extcap_pipe_f, shb)
+            writer = pcapng.FileWriter(self._extcap_pipe_f, shb)
+            self._extcap_pipe_f.flush()
+            return writer
 
     def _parse_ts(self, event: bytes) -> int:
         if not event.startswith(b'{"timestamp":'):
@@ -877,8 +879,6 @@ def toolbar_control(control_inf: BinaryIO, control_output_manager: ControlOutput
             arg, _, payload = control_read(control_inf)
         except OSError:
             break
-        if arg is None:
-            break
         if not running:
             break
 
@@ -1044,7 +1044,7 @@ def handle_connection(transport: paramiko.Transport, dst_addr: str, dst_port: in
         return
 
     while True:
-        r, _, _ = select.select([sock, channel], [], [])
+        r, _, _ = select([sock, channel], [], [])
         if sock in r:
             try:
                 data = sock.recv(1024)
@@ -1279,8 +1279,6 @@ def tracee_capture(args: argparse.Namespace):
 
     if len(logs_err) > 0:
         error(f'Tracee exited with error message:\n{logs_err}')
-
-    control_outf.close()
 
 
 def handle_reload(option: str, args: argparse.Namespace):