On Thu, Oct 4, 2012 at 1:49 AM, TOoSmOotH <[email protected]> wrote: > Is it possible to index PCAP as it writes it to disk? I really like > netsniff-ng as it scales well with high traffic but the downside to that is > a lot of pcap. This means searching through the pcap takes a long time > especially when there are lots of writes going on.
Thanks for using netsniff-ng! Currently, there is no such a feature built-in. I agree that on huge pcap files, searching through it might be a bit of a pain, even in case of an efficient BPF filter for an offline analysis. There is such as thing as pcapIndex [1], but from what I know seems to be patented. [1] http://www.sigcomm.org/node/3230 --
