[Guy Harris <guy@xxxxxxxxxx>]

On Tue, Nov 05, 2002 at 08:02:36AM +1100, Ronnie Sahlberg wrote:
> There are reasons why it may not be a really good idea to capture for
> several days at a time.
> Even at reasonably slow rates such as 75Mbit/s every packet will still add
> to the state buildup inside ethereal until you reach a point where
> memory is exhausted.

Only if you're reading a capture.  While Ethereal is doing a capture, it
won't do that, as it's just reading the raw data of a packet, doing a
*VERY* minimal dissection of the first part of the packet so that it can
update the appropriate packet count, and writing the raw data to a
capture file (unless it's an "Update list of packets in real time"
capture - but, in that case, it's reading the capture).

> >> Or use snoop or tcpdump instead of tethereal.
> >
> >Do these apps have more flexible ring buffers (or something similar)?  The
> reason we're using tethereal is because of this feature.  >If a while() loop
> in some script were sufficient, we could use any packet capturing engine in
> the world.
> 
> No, they do not have ringbuffers at all, but they are both less stateful, so
> the state buildup is less than for tethereal.

When capturing and writing to a binary file, they're completely
stateless (well, tcpdump is; I suspect snoop is as well), just as
Ethereal and Tethereal are.