Re: [Ethereal-users] writing to disk process

[Ulf Lamping <ulf.lamping@xxxxxx>]

Torres, Javier wrote:
> Thanks for your answer Guy,
> What I am worried about is dropping data from the time I get the packet
> in tshark to the time it actually writes to disk.  Because of this I am
> trying to find a way to test and see if I received all the packets
> Tshark sees on the capture.  I had thought this app was looking at the
> interface so once it processed the information from the interface it
> would at that point write the data to disk.
>
> Since you are saying it is writing to disk at the same time it is
> looking at it, this makes the job of making sure I am not dropping
> packets more difficult.
>
> The setup currently that I run is:
> Tshark -I 15 -n -B 20 -w capture_`date +%m%d%Y`.pcap -b filesize:20000 >
> /dev/null &
>
> This takes whatever comes in on that interface and drops it into a file.
>
> I was hoping to make sure the packets it is writing don't get dropped in
> the time it takes them to write to disk since it is sensitive
> information we are gathering.
>
>
>   
May I suggest you use dumpcap instead of tshark? It was build for the 
purpose you describe and will do less processing with the packet data.

Regards, ULFL