Re: How could Wireshark write / read the pcap file simultaneously?

[Guy Harris <guy () alum mit edu>]

On Apr 1, 2014, at 10:52 PM, Aaron Lewis <the.warl0ck.1989 () gmail com> wrote:

> From what I know, it seems like dumpcap listens for traffic and record
> everything
> And the wireshark GUI read and parse that file. (Usually a file located in /tmp)
>
> But,
> 1) how did wireshark know there's a new packet?

Dumpcap tells it.  There's a pipe between dumpcap and Wireshark/TShark, and every time a batch of packets is written to 
the file by dumpcap, it also writes a message to the pipe saying that N more packets have been written to the file.

> 2) what happens if /tmp is full?

Dumpcap gets a "no space left on disk" error and reports it to Wireshark/TShark over the pipe.  (The same thing happens 
with I/O errors, "you exceeded your disc quota" errors and so on.)

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe