Wireshark · Wireshark-dev: Re: [Wireshark-dev] How could Wireshark write / read the pcap file simultaneously?

Wireshark-dev: Re: [Wireshark-dev] How could Wireshark write / read the pcap file simultaneousl

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Tue, 1 Apr 2014 23:01:52 -0700

On Apr 1, 2014, at 10:52 PM, Aaron Lewis <the.warl0ck.1989@xxxxxxxxx> wrote:

> From what I know, it seems like dumpcap listens for traffic and record
> everything
> And the wireshark GUI read and parse that file. (Usually a file located in /tmp)
> 
> But,
> 1) how did wireshark know there's a new packet?

Dumpcap tells it.  There's a pipe between dumpcap and Wireshark/TShark, and every time a batch of packets is written to the file by dumpcap, it also writes a message to the pipe saying that N more packets have been written to the file.

> 2) what happens if /tmp is full?

Dumpcap gets a "no space left on disk" error and reports it to Wireshark/TShark over the pipe.  (The same thing happens with I/O errors, "you exceeded your disc quota" errors and so on.)

References:
- [Wireshark-dev] How could Wireshark write / read the pcap file simultaneously?
  - From: Aaron Lewis

Prev by Date: [Wireshark-dev] How could Wireshark write / read the pcap file simultaneously?
Next by Date: Re: [Wireshark-dev] What about backporting fixes to older releases with the new workflow?
Previous by thread: [Wireshark-dev] How could Wireshark write / read the pcap file simultaneously?
Next by thread: [Wireshark-dev] Bugzilla and Gerrit
Index(es):
- Date
- Thread