Ethereal

RE: [Ethereal-users] writing to disk process
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-users: July 2006

 

Thanks for your answer Guy,
What I am worried about is dropping data from the time I get the packet
in tshark to the time it actually writes to disk.  Because of this I am
trying to find a way to test and see if I received all the packets
Tshark sees on the capture.  I had thought this app was looking at the
interface so once it processed the information from the interface it
would at that point write the data to disk.

Since you are saying it is writing to disk at the same time it is
looking at it, this makes the job of making sure I am not dropping
packets more difficult.

The setup currently that I run is:
Tshark -I 15 -n -B 20 -w capture_`date +%m%d%Y`.pcap -b filesize:20000 >
/dev/null &

This takes whatever comes in on that interface and drops it into a file.

I was hoping to make sure the packets it is writing don't get dropped in
the time it takes them to write to disk since it is sensitive
information we are gathering.

Thanks,
Javier

-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Wednesday, July 19, 2006 2:10 PM
To: Ethereal user support
Subject: Re: [Ethereal-users] writing to disk process

Torres, Javier wrote:

> I had a question on the timing of how wireshark/tshark writes to disk.
> 
> I have some data streams I need to capture, comes out to about 6gig of

> data per day.  I need to make sure I don't drop any info from the box 
> and my fear is the time it takes to write to disk.
> 
> Does Wireshark/Tshark put the sequence number on the packet before it 
> writes to disk?

To which sequence number are you referring?

TCP, and other protocol, sequence numbers are part of the packet data it

writes to disk; Wireshark/Tshark doesn't set that.

The sequence number that appears, by default, in the first column of the

Wireshark display is not in the capture file; the Nth packet in the file

has N as its sequence number.

Any packet dropping when capturing is done before Wireshark/Tshark sees 
the packet, so the only way Wireshark/Tshark can even know packets have 
been dropped is if the capture mechanism lets it get dropped-packet 
counts from libpcap/WinPcap.  Wireshark will display that number on a 
live capture, and Tshark will write "N packets dropped" to the standard 
error when it terminates if N is non-zero.  That number isn't saved in a

capture file, however (libpcap format has no place to put it).
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.