Jim Young wrote:
> Hello All,
> 
>>>> Ulf Lamping <[EMAIL PROTECTED]> 10/10/07 11:29 AM >>>
>>> The "temporary file model" is working in Wiresharks "update list of 
>>> packets" mode for quite a while and is working ok.
> 
> When doing a "live capture" in Wireshark on Windows 
> platforms I've really come to depend on dumpcap to 
> create and write the temporary trace files 
> (the $TEMP/etherXXXX* files).
> 
> With the current "temporary file model" by the time 
> Wireshark sees the data dumpcap has already 
> committed the packets to disk.
> 
> We've had several occasions where Wireshark crashed 
> while in the middle of a "live capture".   With dumpcap 
> building the actual trace files, I was able to open the 
> orphaned etherXXXX* files and recover the trace
> data.  In some cases I was able to determine that
> a specific packet or set of packets triggered the 
> initial Wireshark crash.   

This "should" have been the case before *shark started using dumpcap, 
too.  The FAQ (http://www.wireshark.org/faq.html#q7.12) has said (for a 
long time, I think):

> Also, if at all possible, please send a copy of the capture file that caused 
> the problem; when capturing packets, Wireshark normally writes captured 
> packets to a temporary file, which will probably be in /tmp or /var/tmp on 
> UNIX-flavored OSes, \TEMP on the main system disk
[...]

though I admit I never had to test the theory as I don't think Wireshark 
ever crashed on me during a live capture.
_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Reply via email to