Wireshark · Ethereal-users: Re: [Ethereal-users] Slow packet capture from file

Ethereal-users: Re: [Ethereal-users] Slow packet capture from file

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Tue, 23 Oct 2001 16:56:23 -0700 (PDT)

> Below is a few seconds of what Ethereal is doing according to strace.
> Update, after roughly 4 hours of processing ethereal has read in 87,000
> packets and used a total of 3:16 on the cpu.
> 
> Thanks,
> Chris
> 
> strace:
> select(10, [9], NULL, NULL, {0, 250000}) = 1 (in [9], left {0, 90000})
> recvfrom(9, "\377\377\377\377\377\377\0\260\320!\1\250\10\6\0\1\10\0"...,
> 65535, 0x20, {sa_family=17, sa_data="\10\6\2\0\0\0\1\0\1\6\0\260\320!"},
> [20]) = 60

An address/protocol family of 17 is PF_PACKET, which means it's probably
capturing packets.

However, in your original mail, you said

	Greetings all, I have a (hopefully) quick question.  How can I
	increase the speed of capturing packets from a file? The file
	was generated by tcpdump/snoop.

which indicates that Ethereal *wasn't* capturing packets, it was reading
an capture file written by some *other* program that was capturing
packets.

Were you reading an existing capture file, or capturing packets within
Ethereal from some network interface?  (You don't capture packets from a
file, you read packets from a file.)

References:
- RE: [Ethereal-users] Slow packet capture from file
  - From: Chris Robertson

Prev by Date: RE: [Ethereal-users] Slow packet capture from file
Next by Date: RE: [Ethereal-users] Slow packet capture from file
Previous by thread: RE: [Ethereal-users] Slow packet capture from file
Next by thread: RE: [Ethereal-users] Slow packet capture from file
Index(es):
- Date
- Thread