On Thu, Mar 21, 2002 at 01:13:49PM -0700, Eichert, Diana wrote:
> I've noticed is that if I capture with tethereal and drop the capture
> counter into /dev/null that I can capture at a higher rate with fewer
> dropped packets.
Then a "-q" flag to Tethereal might be useful, as you may be able to
capture even faster if the capture counter isn't written at all.
It certainly shouldn't be the *only* behavior you get, though. One
thing annoying about tcpdump, which behaves like
> I wrote a local hack
> which only wrote the number of packets captured at the end of capturing,
> not sure which system I did that on at the moment. It was a fairly
> trivial hack.
is that you don't know, until you terminate the capture, whether you're
seeing any traffic. (Yes, you can use control-T on BSD systems with
recent versions of tcpdump, but not all systems support SIGINFO, so that
doesn't solve the problem.)
As for Ethereal, rather than Tethereal:
Microsoft Network Monitor has a "Dedicated Capture Mode", wherein it
closes the main window (I'm not sure why it has to do that) and
displays a box similar to our capture statistics box, with "Stop",
"Pause", "Stop and View", and "Normal Mode" buttons, and a
continually-updating captured-frame count. That's not quite as quiet as
tcpdump, so it's still consuming CPU time and memory bandwidth updating
the captured frame count, but a mode similar to that might be useful.
(I don't see why Ethereal would need to close the main window - perhaps
on Windows just having it displayed at all consumes CPU time, or perhaps
there's no code path in Network Monitor to allow it to display the
window without updating all the things in it - but displaying only a
"Total" count might help.
I don't know if that'd be sufficiently quiet, though, so we might just
want to have a mode where all you get is a "Stop" button.)