Wireshark mailing list archives
Re: why is it so difficult to stop capturing with wireshark 1.6.10 in fedora 16
From: Guy Harris <guy () alum mit edu>
Date: Mon, 24 Sep 2012 14:11:24 -0700
On Sep 24, 2012, at 7:46 AM, bart sikkes <b.sikkes () gmail com> wrote:
does this happen when you are capturing a under high traffic load? i have had the same experience with windows systems when the traffic load was very high.
The problem is that, during a capture being updated in real time: dumpcap writes packets to the capture file, and, for each burst of packets it writes, sends Wireshark a message saying "I've written N more packets to the file"; Wireshark reads those messages as they arrive, reads in N more packets, and updates the display; and when you click the stop button, dumpcap may stop capturing and writing packets, but, if the traffic has been arriving faster than Wireshark can display it, there may be a significant backlog of packets for Wireshark to read even if no more are being written to the file. This is bug 5892: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5892 We could perhaps have Wireshark, once it's told dumpcap to stop capturing, quickly read and ignore all subsequent "N more packets have been written" messages, *and* set internal state so that attempting to save the capture will *not* be done by moving or copying the raw capture file, so that only the packets Wireshark read will be saved. I added a note about the latter of those to the bug.
it might be an option to capture via tcpdump
Or dumpcap. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- why is it so difficult to stop capturing with wireshark 1.6.10 in fedora 16 esolve esolve (Sep 24)
- Re: why is it so difficult to stop capturing with wireshark 1.6.10 in fedora 16 bart sikkes (Sep 24)
- Re: why is it so difficult to stop capturing with wireshark 1.6.10 in fedora 16 esolve esolve (Sep 24)
- Re: why is it so difficult to stop capturing with wireshark 1.6.10 in fedora 16 Wes (Sep 24)
- Re: why is it so difficult to stop capturing with wireshark 1.6.10 in fedora 16 Kevin Cullimore (Sep 24)
- Re: why is it so difficult to stop capturing with wireshark 1.6.10 in fedora 16 Guy Harris (Sep 24)
- Re: why is it so difficult to stop capturing with wireshark 1.6.10 in fedora 16 bart sikkes (Sep 24)