-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FeatReq: follow mode #6
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Since this appears to be the only tool currently allowing a directory to specify the source of pcaps, it would be useful to have a "follow" mode where joincap can merge existing files, but watch the final file for growth as well as watch the specified directory for new pcaps to join. The goal would be to allow one tool to write pcaps while joincap to reads and follows what's written in near-realtime for streaming to other tools that consume pcaps.
If implemented, it may also be necessary to have a start-time option that suppresses output of any packets prior to a given date/time. That would allow one to restart an aborted joincap in follow-mode from a given point without needing to clear out already processed files from the source directory.
The text was updated successfully, but these errors were encountered: