http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2275
Martin Whinnery <martin@xxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |martin@xxxxxxxxx
Status|NEW |ASSIGNED
--- Comment #3 from Martin Whinnery <martin@xxxxxxxxx> 2008-02-23 13:26:56 GMT ---
(In reply to comment #2)
> If you just need to capture packets for later analysis elsewhere:
>
> How about using dumpcap directly to make the captures ??
> (Dumpcap is the program used by tshark which actually does the captures).
>
> Dumpcap when used in ringbuffer mode outputs the filename to stderr each time a
> new file is opened (as well as outputting a 'packets' running total).
>
> Using dumpcap also has the advantage of not needing to run the relatively
> heavyweight tshark program just to do captures to a file.
>
> See dumpcap -h
>
> Example:
> $dumpcap -i 1 -w foo.pcap -b duration:15
> File: foo_00001_20080218074144.pcap
> Packets: 0 File: foo_00002_20080218074200.pcap
> Packets: 4 File: foo_00003_20080218074216.pcap
> Packets: 8 Packets dropped: 0
> $
>
Yep, considered both, can make them both work.
I agree dumpcap is more appropriate, for the reasons given.
The problem with dumpcap is it writes the filename it's going to write to,
which isn't the file I want. So I need to run a wrapper which tracks the
previous filename, and handles the start/end conditions.
Or I run a separate process polling filesizes, and how do choose my polling
period and what if the poller fails for some reason how do I make sure I dont
miss files and and...
This way, each time we see output, we pass the filename to a script which moves
it into a local queuing area, then uploads and deletes every file in the queue.
So we get everything ( unless we die during the move-to-queue, a very short
time ). It's just loads less complex. And architecturally nicer, codewise.
So I suppose my argument is it will allow my (arguably corner-case) problem to
be solved more cleanly.
I intend to work on this myself over the next few days - so far as I can see
from the tshark code, it shouldn't be too hard to do.
Thanks for your thoughts.
Mart
--
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.