Wireshark · Wireshark-users: [Wireshark-users] Continuous/circular in-memory tracing?

[Jay Levitt <lists-wireshark@xxxxxxxxxxxxx>]

Lately, I've run into a few intermittent issues (HTTP-level anomalies, 
mostly) on my Windows XP SP2 machine that I could probably solve, if 
only I had a Wireshark trace file.  Unfortunately, the problems happen 
maybe once a week.  So capturing it is like the old joke: "To get to 
Times Square, watch me, and get off the subway one stop before I do."

As far as I can tell from searching the forum, there's no good way to 
keep Wireshark up and running and capturing to an in-memory circular 
buffer, so that when I hit a problem, I can go back in time a few 
minutes, and say "Ah hah!  Here's the trace for that!"  I know Wireshark 
has a ring buffer mode, but that still writes every byte to disk, which 
seems like a good way to raise my blood pressure as my entire online 
experience slows down for the next month.

From what I've seen, the best I could do is set Wireshark up to use 
ring-buffer files, and set those files up to be on a RAMdisk (if such a 
thing even still exists for Windows), so although we're still going 
through all the file-I/O semantics, we're not actually touching a disk 
spindle.  But there's no way to set up a true, lightweight ring/circular 
buffer, which would just be a memcpy of the Ethernet packets, and then, 
when I actually care, trigger a "hey! NOW I'm interested in that data" 
function. 

I'm thinking of something like commercial audio recording packages, 
which often include a "pre-record" feature.  The mics are always on and 
recording, and if you then press Record, you'll get the previous minute 
of audio inserted after-the-fact, as well as everything from that moment 
forward.  It's the "oops I wish I had been recording" feature.

So is the RAMdisk/ring-buffer solution the best approximation of that?  
Or is there another way to do this, either with Wireshark or another 
tool (either free or commercial but not enterprise-priced)?

Jay Levitt