Jim Young wrote: > Hello All, > >>>> Ulf Lamping <[EMAIL PROTECTED]> 10/10/07 11:29 AM >>> >>> The "temporary file model" is working in Wiresharks "update list of >>> packets" mode for quite a while and is working ok. > > When doing a "live capture" in Wireshark on Windows > platforms I've really come to depend on dumpcap to > create and write the temporary trace files > (the $TEMP/etherXXXX* files). > > With the current "temporary file model" by the time > Wireshark sees the data dumpcap has already > committed the packets to disk. > > We've had several occasions where Wireshark crashed > while in the middle of a "live capture". With dumpcap > building the actual trace files, I was able to open the > orphaned etherXXXX* files and recover the trace > data. In some cases I was able to determine that > a specific packet or set of packets triggered the > initial Wireshark crash.
This "should" have been the case before *shark started using dumpcap, too. The FAQ (http://www.wireshark.org/faq.html#q7.12) has said (for a long time, I think): > Also, if at all possible, please send a copy of the capture file that caused > the problem; when capturing packets, Wireshark normally writes captured > packets to a temporary file, which will probably be in /tmp or /var/tmp on > UNIX-flavored OSes, \TEMP on the main system disk [...] though I admit I never had to test the theory as I don't think Wireshark ever crashed on me during a live capture. _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
