Ethereal-users: RE: [Ethereal-users] Slow packet capture from file

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Chris Robertson <Chris.Robertson@xxxxxxxxxxx>
Date: Tue, 23 Oct 2001 19:18:22 -0700
Ok, the process was to run a tcpdump and capture that to a file (ie tcpdump
> /tmp/tcpdump.file) on one machine, on a second machine run snoop -v -o
/tmp/snoop.file.  Ftp the second file to the original machine, cat
tcpdump.file > capture.tmp; cat snoop.file >> capture.tmp.  Fire up
Ethereal, start the capture from (ie ctrl-K) /tmp/capture.tmp.  Note- when I
stoped the capture/read process I got an error message saying I had a
corrupt capture file, this is new and I assume do to the snoop -v input.  I
started it up again with just the tcpdump file (all other options the same)
and got roughly the same speed (360 packets in 120 seconds).

Attached is the strace file.

Thanks,
Chris 

> -----Original Message-----
> From: Guy Harris [mailto:guy@xxxxxxxxxx]
> Sent: Tuesday, October 23, 2001 5:08 PM
> To: Chris Robertson
> Cc: ethereal-users@xxxxxxxxxxxx
> Subject: Re: [Ethereal-users] Slow packet capture from file
> 
> 
> > Hmm, sorry about the imprecise language. I am indeed 
> reading from a file,
> > /tmp/capture.tmp to be exact.
> 
> OK, then I'm not sure why it's doing repeated "recvfrom()" calls if
> that's *not* reading from a live capture socket.
> 
> Could you try starting Ethereal under strace, and send me an 
> indication
> of what it's doing, all the way up to the point where it 
> starts reading
> the file?
> 
> > The first half of that file was generated by
> > tcpdump, the second half of the file was generated by snoop -v.
> 
> "snoop -v", or "snoop -w"?  "snoop -v" generates a text file that
> Ethereal can't read.
> 
> Precisely what was the full process used to generate the file?
> 

Attachment: ethereal.strace
Description: Binary data