On Tue, Nov 05, 2002 at 08:02:36AM +1100, Ronnie Sahlberg wrote: > There are reasons why it may not be a really good idea to capture for > several days at a time. > Even at reasonably slow rates such as 75Mbit/s every packet will still add > to the state buildup inside ethereal until you reach a point where > memory is exhausted.
Only if you're reading a capture. While Ethereal is doing a capture, it won't do that, as it's just reading the raw data of a packet, doing a *VERY* minimal dissection of the first part of the packet so that it can update the appropriate packet count, and writing the raw data to a capture file (unless it's an "Update list of packets in real time" capture - but, in that case, it's reading the capture). > >> Or use snoop or tcpdump instead of tethereal. > > > >Do these apps have more flexible ring buffers (or something similar)? The > reason we're using tethereal is because of this feature. >If a while() loop > in some script were sufficient, we could use any packet capturing engine in > the world. > > No, they do not have ringbuffers at all, but they are both less stateful, so > the state buildup is less than for tethereal. When capturing and writing to a binary file, they're completely stateless (well, tcpdump is; I suspect snoop is as well), just as Ethereal and Tethereal are.
