Srivathsan_Srinivasagopalan wrote:
I would like to know how Ethereal manages buffer overflow. I
understand the capture driver stores the packets in a ring buffer so
that the old packets are discarded.
Whether the capture driver works that way depends on the capture driver.
Ethereal doesn't include any capture drivers; it relies on the capture
driver that comes with the OS (on UN*X) or that comes with WinPcap (on
Windows).
On the OSes I'm familiar with, if the buffer is full, *new* packets are
discarded, not *old* packets.
Also, this buffer properties (like
size, rotating capture file etc) are user configurable.
The OS's capture buffer doesn't do anything with files (except on
Windows, in some versions of WinPcap, but Ethereal doesn't use the
"capture to a file" feature).
The buffer size isn't currently configurable by Ethereal except on Windows.
There are two separate buffering mechanism - the one that the low-level
capture code (not part of Ethereal) uses, and the buffering mechanism
that Ethereal uses. By default, Ethereal saves captured packets by
appending them to a file, and there's no ring buffer involved - packets
that Ethereal sees (i.e., that aren't discarded by the low-level capture
code) aren't discarded, they're all written to the capture file.
Ethereal can also run the capture files as a ring buffer, but the whole
*purpose* for doing that is to discard packets past a certain point, to
limit the amount of data being saved, so there's no mechanism for
avoiding buffer overflow when using a ring buffer.
