[Guy Harris <guy@xxxxxxxxxx>]

On Wed, Jul 03, 2002 at 04:47:21PM -0700, Guy Harris wrote:
> On Thu, Jul 04, 2002 at 09:43:36AM +1000, Tino wrote:
> > 2)  " not" meant as follow:
> >        the file size is zero during capture and after CTRL-C even when an
> > RST was generated.
> 
> As I suspected.
> 
> >  3) One thing though, when it was working capturing to the file without the
> > " tcp.flags.reset eq 1", I could see the file test.txt grows
> >       in size during capturing (not having to press CTRL-C to write to the
> > file).  Not sure why though.
> 
> Tethereal (like tcpdump/WinDump) writes to the file as it receives
> packets; it doesn't buffer all packets in memory and then write them all
> out when interrupted.

...although packets are buffered inside the C I/O library, so it's not
as if they *immediately* appear in the file.  The buffer size depends on
the particular OS and compiler used (the buffering is done in that
library; it's not done by Tethereal itself); I don't know what the
buffer size is on windows, but it's probably somewhere around 2K or 4K
bytes.

This means that even if the RST is generated, it won't immediately
appear in the file, so the file size might still be zero even if a
packet's been seen.  (RST packets are likely to be small.)