Ethereal-dev: Re: [Ethereal-dev] Feature request: Graphing improvements

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Sun, 09 Apr 2006 19:47:43 -0700
Chris Wilson wrote:


It would also be good to support continuous monitoring. I think it would
make Ethereal more stable to have it manage its memory usage so that it
does not grow indefinitely while capturing. Somebody else suggested the
idea of capturing to an in-memory ring buffer, and it's already
supported to capture to ring buffers on disk, and capture indefinitely.
If Ethereal leaks memory due to session tracking, it defeats the point
of these features.


It's a question of what Ethereal does *while* it's capturing.
If it's dissecting packets as they arrive, it will accumulate memory - I wouldn't call that a "leak" unless the memory in question can be safely discarded at some point in the process of capturing but isn't being discarded.
If it's *not* dissecting packets as they arrive - i.e., if you're *not* doing an "update list of packets in real time" capture - it shouldn't be doing session tracking or any of that stuff, it should just be saving packets to a file for future dissection, and *possibly* doing some *very quick* dissection for the capture window's percentage bars.
If the intent is only to do *simple* graphing - i.e., graphing that does *NOT* involve a full dissection of every packet, which means no state information, no matching of requests and responses, and no recognizing of protocols if it requires human intervention or analyzing a packet that sets up a connection to see what future traffic would be - then that could be done in the same way that we do the percentage bars, by having, for *some* protocols, simple dissectors.
Note that many VoIP protocols might require human intervention, or analyzing packets that set up connections, so this might not be able to figure out how much traffic is VoIP traffic, unless the "simple" dissection can analyze packets that set up connections.
Once this is done, however, the question would then be "how much of Ethereal is left"? That sort of graphing might also be useful for current Ethereal applications (i.e., those that involve doing packet capture and detailed dissection), but you might want an application that does the simple dissection and graphing but *not* the detailed dissection, which might share code with Ethereal but not be Ethereal.
Note also that a monitoring application might not want to save packets to a file - it might just want to read them and discard them.