On Nov 13, 2011, at 2:28 PM, Tal Attaly wrote: > "take a look at how tcpdump/WinDump implement -C and -G. -C is implemented > by checking the file size with pcap_dump_ftell(); " > > and then.. i should stop all the recording and start it mannualy again (and > loose packets) or their is a way to 'split' the recordings file in a smarter > way.
No, then you should close the file to which you're writing and open one. Yes, that means you're not recording packets during that time, but there is obviously no way to avoid that, unless you have two separate threads, one of which copies packets from WinPcap into a buffer in the program's memory and another one that writes from that buffer. That means more copying, which could make the problem worse, not better; there is some amount of buffering done in the WinPcap driver, and if that's sufficient to hold the packets that arrive while you're switching files, then theres no need for anything fancier. _______________________________________________ Winpcap-users mailing list [email protected] https://www.winpcap.org/mailman/listinfo/winpcap-users
