Wireshark-users: Re: [Wireshark-users] Continuous/circular in-memory tracing?

From: "Chad Dailey" <chad@xxxxxxxxxxxxxxxxxxx>
Date: Sat, 22 Dec 2007 11:00:52 -0600
We a similar problem on Linux... sorry it's not XP but it may point you in the right direction.  In order to reduce disk thrashing for sustained captures, we write all our ring buffers to /tmp. 

On 12/21/07, Jay Levitt <lists-wireshark@xxxxxxxxxxxxx> wrote:
Lately, I've run into a few intermittent issues (HTTP-level anomalies,
mostly) on my Windows XP SP2 machine that I could probably solve, if
only I had a Wireshark trace file.  Unfortunately, the problems happen
maybe once a week.  So capturing it is like the old joke: "To get to
Times Square, watch me, and get off the subway one stop before I do."

As far as I can tell from searching the forum, there's no good way to
keep Wireshark up and running and capturing to an in-memory circular
buffer, so that when I hit a problem, I can go back in time a few
minutes, and say "Ah hah!  Here's the trace for that!"  I know Wireshark
has a ring buffer mode, but that still writes every byte to disk, which
seems like a good way to raise my blood pressure as my entire online
experience slows down for the next month.

From what I've seen, the best I could do is set Wireshark up to use
ring-buffer files, and set those files up to be on a RAMdisk (if such a
thing even still exists for Windows), so although we're still going
through all the file-I/O semantics, we're not actually touching a disk
spindle.  But there's no way to set up a true, lightweight ring/circular
buffer, which would just be a memcpy of the Ethernet packets, and then,
when I actually care, trigger a "hey! NOW I'm interested in that data"
function.

I'm thinking of something like commercial audio recording packages,
which often include a "pre-record" feature.  The mics are always on and
recording, and if you then press Record, you'll get the previous minute
of audio inserted after-the-fact, as well as everything from that moment
forward.  It's the "oops I wish I had been recording" feature.

So is the RAMdisk/ring-buffer solution the best approximation of that?
Or is there another way to do this, either with Wireshark or another
tool (either free or commercial but not enterprise-priced)?

Jay Levitt
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users