Doing a solution to have an enhanced realtime capture method
Xplico is a Network Forensic Analysis Tool (NFAT)
Brought to you by:
cgacimartin,
glcosta
As Xplico was bron to decode, not to capture, a unique process does both tasks. If decoding it need more time of CPU, it will not listen at the interface and so on will loose data.
So, a system more or less functional would be using tcpdump, writing in a pipe and give its contents to Xplico. In this way, Xplico would process all the info.
# fifo
mkfifo /opt/xplico/pol_1/sol_1/decode/rt.pcap
# start tcpdump
touch /tmp/tmp.pcap
tail -f /tmp/tmp.pcap > /opt/xplico/pol_1/sol_1/decode/rt.pcap &
(tshark -i eth0 -w /tmp/tmp.pcap) &
Problem: tmp.pcap could grow and use the entire disk, big problem. Pipes can change its size (system variable PIPE_SIZE).