shovel icon indicating copy to clipboard operation
shovel copied to clipboard
verified publisher icon ANSSI-FR

webapp: improve pcap download

Open yunzheng opened this issue 5 months ago • 1 comments

Downloading a PCAP will now limit packets to the flow only.

Before it would just return the LZ4 compressed PCAP file that contains the flow.

yunzheng avatar Nov 21 '25 15:11 yunzheng

Hi! Thank you for this patch.

I definitely agree that it is a cool feature that should be present in Shovel. However, I need more time to think about the proposed implementation:

  • LZ4 format seems harder to use for Windows users, so I agree that we should rather serve pcap files.
  • I am not a big fan of calling lz4cat then tcpdump in subprocesses.
  • I was planning to look into Suricata to produce pcap.gz files directly, things are already moving a bit upstream: https://redmine.openinfosecfoundation.org/issues/8132 (libarchive might come to suricata)
  • If we have pcap.gz files, then scapy + gzip modules could be sufficient. This would prevent using subprocess.

In the mean time, I will definitely keep the PR opened to let people cherrypick these commits if they want the feature now.

erdnaxe avatar Nov 29 '25 15:11 erdnaxe