You right. what i did was closing only the file (not the session) and immediately open a new one. I tested it by recording with my application and Wireshark at the same time, and then i checked that there is no packets in the wireshark recording between the last packet of my first file and the first packet of my second file. I also set winpcap buffer to 16MB, just in case...
Thanks for the help! 2011/11/14 Guy Harris <[email protected]> > > On Nov 13, 2011, at 2:28 PM, Tal Attaly wrote: > > > "take a look at how tcpdump/WinDump implement -C and -G. -C is > implemented by checking the file size with pcap_dump_ftell(); " > > > > and then.. i should stop all the recording and start it mannualy again > (and loose packets) or their is a way to 'split' the recordings file in a > smarter way. > > No, then you should close the file to which you're writing and open one. > Yes, that means you're not recording packets during that time, but there > is obviously no way to avoid that, unless you have two separate threads, > one of which copies packets from WinPcap into a buffer in the program's > memory and another one that writes from that buffer. That means more > copying, which could make the problem worse, not better; there is some > amount of buffering done in the WinPcap driver, and if that's sufficient to > hold the packets that arrive while you're switching files, then theres no > need for anything fancier. > _______________________________________________ > Winpcap-users mailing list > [email protected] > https://www.winpcap.org/mailman/listinfo/winpcap-users >
_______________________________________________ Winpcap-users mailing list [email protected] https://www.winpcap.org/mailman/listinfo/winpcap-users
