Jim Young wrote:
Hello All,
Ulf Lamping <ulf.lamping@xxxxxx> 10/10/07 11:29 AM >>>
The "temporary file model" is working in Wiresharks "update list of
packets" mode for quite a while and is working ok.
When doing a "live capture" in Wireshark on Windows
platforms I've really come to depend on dumpcap to
create and write the temporary trace files
(the $TEMP/etherXXXX* files).
With the current "temporary file model" by the time
Wireshark sees the data dumpcap has already
committed the packets to disk.
We've had several occasions where Wireshark crashed
while in the middle of a "live capture". With dumpcap
building the actual trace files, I was able to open the
orphaned etherXXXX* files and recover the trace
data. In some cases I was able to determine that
a specific packet or set of packets triggered the
initial Wireshark crash.
This "should" have been the case before *shark started using dumpcap,
too. The FAQ (http://www.wireshark.org/faq.html#q7.12) has said (for a
long time, I think):
Also, if at all possible, please send a copy of the capture file that caused the problem; when capturing packets, Wireshark normally writes captured packets to a temporary file, which will probably be in /tmp or /var/tmp on UNIX-flavored OSes, \TEMP on the main system disk
[...]
though I admit I never had to test the theory as I don't think Wireshark
ever crashed on me during a live capture.