Wireshark · Ethereal-dev: Re: [Ethereal-dev] Re: [Ethereal-users] Questions on using ethereal / tethereal

Ethereal-dev: Re: [Ethereal-dev] Re: [Ethereal-users] Questions on using ethereal / tethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Ian Schorr <spamcontrol2@xxxxxxxxxxx>

Date: Wed, 18 Jun 2003 18:22:39 -0400

See below:

Laurent Deniel wrote:

Ian Schorr wrote:
1.) Why is ethereal / tethereal not capable to capture more than 10
tracefiles in ringbuffer mode ?
Very good question. I've asked before but never really found anexplanation. 10 is an arbitrarily set limit, and I don't know whyit's so low. It's also limited by "FOPEN_MAX", which appears to be16 in Linux but doesn't appear to have any relation to the maximumnumber of fopen()s allowed. Personally, I've removed theselimitations (and set a fixed max of 1000 files), and not noticed anyside-effects under Win2K, WinXP, and Linux.
There is no problem to increase such a limit (the maximum number of
open files is usually high enough on moderm Unices, and on old ones,
a limit of 64 comes in mind). So it is safe (no impact on current code)
to increase from 10 to at least 64 without problems ...

So the question remains - does it make sense to change the limitation?Does anyone have any objections or see any potential problems? Wasthere a reason that this was set initially? I can't answer these questions.

But the question is : why do you need so many files ? and could you tune
the maximum file size instead of the number of files ...

One reason is because one is capturing a large amount of data, probablyacross a relatively long time period, and wants the outputted files tobe manageable for post-capture analysis.If you're monitoring a link and an event occurs, would you ratheranalyze 1 4GB file, or one (or a few, depending on how accurate you canmatch up event time versus timstamp on the capture device) of 20 200MBfiles? What if you have to transfer the files to a remote machine foranalysis? What if you want to record a days' worth of traffic, andrealize it will consume 300GB of space? You'd want to capture 10 30GBfiles? I suspect that's not even possible on some platforms.

A lesser issue would be the fact that with 10 files, every time my fileswrap and a "full" file is restarted and overwritten, 10% of my overalldata is lost - I only have 90% of the traffic potential history that I*could* have.

What use is the ring buffer other than generating small, managable fileswhile capturing?

Follow-Ups:
- [Ethereal-dev] Re: [Ethereal-users] Questions on using ethereal / tethereal
  - From: Guy Harris

References:
- [Ethereal-dev] Re: [Ethereal-users] Questions on using ethereal / tethereal
  - From: Ian Schorr
- Re: [Ethereal-dev] Re: [Ethereal-users] Questions on using ethereal / tethereal
  - From: Laurent Deniel

Prev by Date: Re: [Ethereal-dev] Re: [Ethereal-users] Questions on using ethereal / tethereal
Next by Date: [Ethereal-dev] Re: [Ethereal-users] Questions on using ethereal / tethereal
Previous by thread: Re: [Ethereal-dev] Re: [Ethereal-users] Questions on using ethereal / tethereal
Next by thread: [Ethereal-dev] Re: [Ethereal-users] Questions on using ethereal / tethereal
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$