Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 2131] New: Allow in-memory circular capturing

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sat, 22 Dec 2007 13:05:39 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2131

           Summary: Allow in-memory circular capturing
           Product: Wireshark
           Version: 0.99.7
          Platform: PC
               URL: http://wiki.wireshark.org/WishList#head-
                    22284e2d12a336464422602a5f6046b6d90bdb62.
        OS/Version: Windows XP
            Status: NEW
          Severity: Enhancement
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: jay-wireshark@xxxxxxxxxxxxx


Build Information:
n/a
--
SUMMARY

When tracking down intermittent problems, it would be nice to have a
lightweight way to capture continuously, but discard older data until a trigger
(manual or, if easy enough to implement, automatic) is, er, triggered.

DETAILS

Wireshark has this partially implemented today as "ring buffer with n files"
mode.  However, this still entails writing all the data to disk, which is
inherently slower than keeping it in RAM. That makes the current implementation
potentially unsuitable for performance-critical servers and impatient users
like me.

VAGUELY ANALOGOUS FEATURE

Steinberg Cubase, an audio program, can constantly record all audio input to an
otherwise-invisible circular buffer.  When you press the "Record" button, it
first copies the previous minute of audio from that buffer to your project, and
continues recording from that point on.  People love it.

WORKAROUND

The existing "ring buffer" mode is probably suitable for many cases. 
Additionally, it should (in theory) be possible to write the ring buffer to a
RAMdisk instead of a physical disk, which would be almost (but not quite) as
fast as truly keeping the buffers in memory.

WIKI WISHLIST REFERENCE

This is mentioned in the wiki wishlist, linked above.  That entry states that
the feature would require file format changes, but I think that's wrong; I
think having two in-memory buffers that mimic two pcap files would work with
the existing ring-buffer code.  You'd just skip the part where you write them
to disk.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube