Hello All,
>>> Ulf Lamping <ulf.lamping@xxxxxx> 10/10/07 11:29 AM >>>
> > The "temporary file model" is working in Wiresharks "update list of
> > packets" mode for quite a while and is working ok.
>
When doing a "live capture" in Wireshark on Windows
platforms I've really come to depend on dumpcap to
create and write the temporary trace files
(the $TEMP/etherXXXX* files).
With the current "temporary file model" by the time
Wireshark sees the data dumpcap has already
committed the packets to disk.
We've had several occasions where Wireshark crashed
while in the middle of a "live capture". With dumpcap
building the actual trace files, I was able to open the
orphaned etherXXXX* files and recover the trace
data. In some cases I was able to determine that
a specific packet or set of packets triggered the
initial Wireshark crash.
These triggered Wireshark crashes have occurred
because of a defect in a dissector. Dumpcap doesn't
have to concern itself with dissecting so is virtually
immune to this type of crash.
I'm not certain that these "trigger" packets would be
recoverable if dumpcap simply forwarded the pcap data
stream onto tshark and/or wireshark using a pipeline.
FWIW:
I really like dumpcap's lean and mean design. When I
really need to fetch the most data with as little packet
drops as possible I use dumpcap (often with a snaplen
of 70 bytes or so).
Regards,
Jim Young