Wireshark-bugs: [Wireshark-bugs] [Bug 2275] "Finished writing file" notification in ring-buffer

Date: Sat, 23 Feb 2008 13:26:59 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2275


Martin Whinnery <martin@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |martin@xxxxxxxxx
             Status|NEW                         |ASSIGNED




--- Comment #3 from Martin Whinnery <martin@xxxxxxxxx>  2008-02-23 13:26:56 GMT ---
(In reply to comment #2)
> If you just need to capture packets for later analysis elsewhere:
> 
> How about using dumpcap directly to make the captures ??
> (Dumpcap is the program used by tshark which actually does the captures).
> 
> Dumpcap when used in ringbuffer mode outputs the filename to stderr each time a
> new file is opened (as well as outputting a 'packets' running total).
> 
> Using dumpcap also has the advantage of not needing to run the relatively
> heavyweight tshark program just to do captures to a file.
> 
> See dumpcap -h
> 
> Example:
> $dumpcap -i 1 -w foo.pcap -b duration:15
> File: foo_00001_20080218074144.pcap
> Packets: 0 File: foo_00002_20080218074200.pcap
> Packets: 4 File: foo_00003_20080218074216.pcap
> Packets: 8 Packets dropped: 0
> $
> 

Yep, considered both, can make them both work.

I agree dumpcap is more appropriate, for the reasons given.

The problem with dumpcap is it writes the filename it's going to write to,
which isn't the file I want. So I need to run a wrapper which tracks the
previous filename, and handles the start/end conditions.

Or I run a separate process polling filesizes, and how do choose my polling
period and what if the poller fails for some reason how do I make sure I dont
miss files and and...

This way, each time we see output, we pass the filename to a script which moves
it into a local queuing area, then uploads and deletes every file in the queue.
So we get everything ( unless we die during the move-to-queue, a very short
time ). It's just loads less complex. And architecturally nicer, codewise.

So I suppose my argument is it will allow my (arguably corner-case) problem to
be solved more cleanly.

I intend to work on this myself over the next few days - so far as I can see
from the tshark code, it shouldn't be too hard to do.

Thanks for your thoughts.

Mart


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.