Sysdig capture running endless while using filters #1696
Labels
Comments
|
right the timing check happens after the filter so it'd run until the filter is matched. It could be moved up at a non-zero but ultimately meaningless cost. The real skill here would be to try to do it at almost no cost. The other "bug" in the current implementation is the reference time stamp isn't set until the first matched packet. I call it a "bug" in quotes here because "capture for n seconds after the first match" is useful and it's what it currently does under these constraints. So I guess the way to maintain this albeit undocumented backward compatibility would be to make the timer still start on first match and the capture stop after the time lapse. I'll do a PR that does this "at cost" - at a likely unmeasurable overhead and hopefully we'll be good to go. |
kristopolous
added a commit
to kristopolous/sysdig
that referenced
this issue
Oct 17, 2020
The timeout check was being after packets were filtered meaning that a timeout could possibly never be observed. This was changed so the timeout check could be triggered by any event, not just ones matching the filter. Also, the start of the timer was being triggered by the first matched event. This is a useful yet previously undocumented behavior so it has been preserved and documented in the help text.
kristopolous
added a commit
to kristopolous/sysdig
that referenced
this issue
Oct 18, 2020
The timeout check was being after packets were filtered meaning that a timeout could possibly never be observed. This was changed to introduce an optional system that allows people to specify whether they want the clock to be triggered by any packet (a) or a filtered match (f). They can specify this optionally after the -M argument. If a user uses a number with no argument, backwards compatibility is maintained (which is 'ff'). Otherwise they can specify either 1 or 2 letters such as, for example "15aa" or "12af" or just "11a". The help text has been modified to talk about these new options.
kristopolous
added a commit
to kristopolous/sysdig
that referenced
this issue
Oct 18, 2020
The timeout check was being after packets were filtered meaning that a timeout could possibly never be observed. This was changed to introduce an optional system that allows people to specify whether they want the clock to be triggered by any packet (a) or a filtered match (f). They can specify this optionally after the -M argument. If a user uses a number with no argument, backwards compatibility is maintained (which is 'ff'). Otherwise they can specify either 1 or 2 letters such as, for example "15aa" or "12af" or just "11a". The help text has been modified to talk about these new options.
kristopolous
added a commit
to kristopolous/sysdig
that referenced
this issue
Oct 18, 2020
The timeout check was being after packets were filtered meaning that a timeout could possibly never be observed. This was changed to introduce an optional system that allows people to specify whether they want the clock to be triggered by any packet (a) or a filtered match (f). They can specify this optionally after the -M argument. If a user uses a number with no argument, backwards compatibility is maintained (which is 'ff'). Otherwise they can specify either 1 or 2 letters such as, for example "15aa" or "12af" or just "11a". The help text has been modified to talk about these new options.
kristopolous
added a commit
to kristopolous/sysdig
that referenced
this issue
Oct 18, 2020
The timeout check was being after packets were filtered meaning that a timeout could possibly never be observed. This was changed so the timeout check could be triggered by any event, not just ones matching the filter. Also, the start of the timer was being triggered by the first matched event. This is a useful yet previously undocumented behavior so it has been preserved and documented in the help text.
|
so i've got two options for PRs to fix the issue. I like the second one myself - it's a stronger offering and maintains full backwards compatibility. |
kristopolous
added a commit
to kristopolous/sysdig
that referenced
this issue
Oct 18, 2020
The timeout check was being after packets were filtered meaning that a timeout could possibly never be observed. This was changed to introduce an optional system that allows people to specify whether they want the clock to be triggered by any packet (a) or a filtered match (f). They can specify this optionally after the -M argument. If a user uses a number with no argument, backwards compatibility is maintained (which is 'ff'). Otherwise they can specify either 1 or 2 letters such as, for example "15aa" or "12af" or just "11a". The help text has been modified to talk about these new options.
kristopolous
added a commit
to kristopolous/sysdig
that referenced
this issue
Oct 18, 2020
The timeout check was being after packets were filtered meaning that a timeout could possibly never be observed. This was changed to introduce an optional system that allows people to specify whether they want the clock to be triggered by any packet (a) or a filtered match (f). They can specify this optionally after the -M argument. If a user uses a number with no argument, backwards compatibility is maintained (which is 'ff'). Otherwise they can specify either 1 or 2 letters such as, for example "15aa" or "12af" or just "11a". The help text has been modified to talk about these new options.
kristopolous
added a commit
to kristopolous/sysdig
that referenced
this issue
Oct 18, 2020
The timeout check was being after packets were filtered meaning that a timeout could possibly never be observed. This was changed to introduce an optional system that allows people to specify whether they want the clock to be triggered by any packet (a) or a filtered match (f). They can specify this optionally after the -M argument. If a user uses a number with no argument, backwards compatibility is maintained (which is 'ff'). Otherwise they can specify either 1 or 2 letters such as, for example "15aa" or "12af" or just "11a". The help text has been modified to talk about these new options. sysdig-CLA-1.0-signed-off-by: Christopher McKenzie <kristopolous@yahoo.com>
kristopolous
added a commit
to kristopolous/sysdig
that referenced
this issue
Oct 18, 2020
The timeout check was being after packets were filtered meaning that a timeout could possibly never be observed. This was changed so the timeout check could be triggered by any event, not just ones matching the filter. Also, the start of the timer was being triggered by the first matched event. This is a useful yet previously undocumented behavior so it has been preserved and documented in the help text. sysdig-CLA-1.0-signed-off-by: Christopher McKenzie <kristopolous@yahoo.com>
kristopolous
added a commit
to kristopolous/sysdig
that referenced
this issue
Oct 18, 2020
The timeout check was being triggered only after filtered events thus a timeout could possibly never be observed. This was changed so the timeout check could be triggered by any event, not just ones matching the filter. Also, the start of the timer was being triggered by the first matched event. This is a useful yet previously undocumented behavior so it has been preserved and documented in the help text. sysdig-CLA-1.0-signed-off-by: Christopher McKenzie <kristopolous@yahoo.com>
kristopolous
added a commit
to kristopolous/sysdig
that referenced
this issue
Oct 18, 2020
The timeout check was being triggered only by filter-matched events which meant a timeout could possibly never be observed. This was changed to introduce an optional system that allows people to specify whether they want the clock to be triggered by any packet (a) or a filtered match (f). They can specify this optionally after the -M argument. If a user uses a number with no argument, backwards compatibility is maintained (which is 'ff'). Otherwise they can specify either 1 or 2 letters such as, for example "15aa" or "12af" or just "11a". The help text has been modified to talk about these new options. sysdig-CLA-1.0-signed-off-by: Christopher McKenzie <kristopolous@yahoo.com>
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While running the sysdig capture without any filters the -M time value is picked up correctly and ends after the time specified time
But if I am using filters it just runs endless and require me to send the break single to end it
The text was updated successfully, but these errors were encountered: