Re: why is it so difficult to stop capturing with wireshark 1.6.10 in fedora 16

[Guy Harris <guy () alum mit edu>]

On Sep 24, 2012, at 7:46 AM, bart sikkes <b.sikkes () gmail com> wrote:

> does this happen when you are capturing a under high traffic load? i
> have had the same experience with windows systems when the traffic
> load was very high.

The problem is that, during a capture being updated in real time:

        dumpcap writes packets to the capture file, and, for each burst of packets it writes, sends Wireshark a message 
saying "I've written N more packets to the file";

        Wireshark reads those messages as they arrive, reads in N more packets, and updates the display;

and when you click the stop button, dumpcap may stop capturing and writing packets, but, if the traffic has been 
arriving faster than Wireshark can display it, there may be a significant backlog of packets for Wireshark to read even 
if no more are being written to the file.

This is bug 5892:

        https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5892

We could perhaps have Wireshark, once it's told dumpcap to stop capturing, quickly read and ignore all subsequent "N 
more packets have been written" messages, *and* set internal state so that attempting to save the capture will *not* be 
done by moving or copying the raw capture file, so that only the packets Wireshark read will be saved.  I added a note 
about the latter of those to the bug.

> it might be an option to capture via tcpdump

Or dumpcap.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe