Hmm, sorry about the imprecise language. I am indeed reading from a file,
/tmp/capture.tmp to be exact. The first half of that file was generated by
tcpdump, the second half of the file was generated by snoop -v. I'd send
you the file but it's 75MB... :)
thanks for the help,
Chris
> -----Original Message-----
> From: Guy Harris [mailto:guy@xxxxxxxxxx]
> Sent: Tuesday, October 23, 2001 4:56 PM
> To: Chris Robertson
> Cc: ethereal-users@xxxxxxxxxxxx
> Subject: Re: [Ethereal-users] Slow packet capture from file
>
>
> > Below is a few seconds of what Ethereal is doing according
> to strace.
> > Update, after roughly 4 hours of processing ethereal has
> read in 87,000
> > packets and used a total of 3:16 on the cpu.
> >
> > Thanks,
> > Chris
> >
> > strace:
> > select(10, [9], NULL, NULL, {0, 250000}) = 1 (in [9], left
> {0, 90000})
> > recvfrom(9,
> "\377\377\377\377\377\377\0\260\320!\1\250\10\6\0\1\10\0"...,
> > 65535, 0x20, {sa_family=17,
> sa_data="\10\6\2\0\0\0\1\0\1\6\0\260\320!"},
> > [20]) = 60
>
> An address/protocol family of 17 is PF_PACKET, which means
> it's probably
> capturing packets.
>
> However, in your original mail, you said
>
> Greetings all, I have a (hopefully) quick question. How can I
> increase the speed of capturing packets from a file? The file
> was generated by tcpdump/snoop.
>
> which indicates that Ethereal *wasn't* capturing packets, it
> was reading
> an capture file written by some *other* program that was capturing
> packets.
>
> Were you reading an existing capture file, or capturing packets within
> Ethereal from some network interface? (You don't capture
> packets from a
> file, you read packets from a file.)
>