Hi Guy,
> On Wed, Jan 29, 2003 at 11:12:08PM +0000, spamcontrol2@xxxxxxxxx wrote:
> > ...Unless you're trying to capture data rates higher than 100mbps, or
> > from media other than Ethernet, in which case Sniffer is useless for
> > long-term capture.
>
> Why is 10/100Mb Ethernet special there? They do have gigabit Sniffers
> and Sniffers do support other media.
Yes, but we're talking about extended captures here. For example, Sniffer
products support Gigabit Ethernet capture in one of two ways:
- Capture to buffers on a proprietary card up to 144MB (72MB per channel), where
there is currently still no possible way to save a full buffer to disk and
restart capture (which would be horrible anyway, since it takes 10-50 times
longer to pull the data off of the card than to capture it). This is the model
for the majority of their current-sold Gigabit products.
- Capture with a probe that has up to 512MB buffer (I believe), and can attempt
to stream some of the data to a "console" PC over a 100Mbps FE link. This at
least allows you to attempt to capture for extended periods, but it's rare that
it can handle more than about 60Mbps/s of sustained traffic.
Between the two, the second would obviously be preferable, but if you're not
looking for physical errors and not worried about the very slight packet arrival
time differences, you might as well SPAN the gigabit port you're monitoring to
an FE port, and save-to-disk more reliably at up to 100Mbps (though very
"bursty" traffic won't be handled quite as well).
All of Sniffer's solutions for other media types, to my knowledge, use one of
the two above approaches as well.
>
> > Do you know if there was a reason why the ring buffer was designed to
> > hold all files open at the same time? Or was it simpler to design that
> > way, and eventually it was assumed that someone would implement
> > something more robust?
>
> I wasn't the creator of that code; I don't know why its creators made
> the design decisions that they did.
Perhaps I should re-ask on Ethereal-dev? =)