We a similar problem on Linux... sorry it's not XP but it may point you in the right direction. In order to reduce disk thrashing for sustained captures, we write all our ring buffers to /tmp.
On 12/21/07, Jay Levitt <[EMAIL PROTECTED]> wrote: > > Lately, I've run into a few intermittent issues (HTTP-level anomalies, > mostly) on my Windows XP SP2 machine that I could probably solve, if > only I had a Wireshark trace file. Unfortunately, the problems happen > maybe once a week. So capturing it is like the old joke: "To get to > Times Square, watch me, and get off the subway one stop before I do." > > As far as I can tell from searching the forum, there's no good way to > keep Wireshark up and running and capturing to an in-memory circular > buffer, so that when I hit a problem, I can go back in time a few > minutes, and say "Ah hah! Here's the trace for that!" I know Wireshark > has a ring buffer mode, but that still writes every byte to disk, which > seems like a good way to raise my blood pressure as my entire online > experience slows down for the next month. > > From what I've seen, the best I could do is set Wireshark up to use > ring-buffer files, and set those files up to be on a RAMdisk (if such a > thing even still exists for Windows), so although we're still going > through all the file-I/O semantics, we're not actually touching a disk > spindle. But there's no way to set up a true, lightweight ring/circular > buffer, which would just be a memcpy of the Ethernet packets, and then, > when I actually care, trigger a "hey! NOW I'm interested in that data" > function. > > I'm thinking of something like commercial audio recording packages, > which often include a "pre-record" feature. The mics are always on and > recording, and if you then press Record, you'll get the previous minute > of audio inserted after-the-fact, as well as everything from that moment > forward. It's the "oops I wish I had been recording" feature. > > So is the RAMdisk/ring-buffer solution the best approximation of that? > Or is there another way to do this, either with Wireshark or another > tool (either free or commercial but not enterprise-priced)? > > Jay Levitt > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users >
_______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
