Wireshark · Ethereal-users: RE: [Ethereal-users] frequent question and request for the develo pers

Ethereal-users: RE: [Ethereal-users] frequent question and request for the develo pers
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Alistair.McGlinchy@xxxxxxxxxxxxxxxxxxxxx
Date: Thu, 23 May 2002 14:17:38 +0100
Hi All,

I can also confirm that with ethereal 0.9.3 running on Win NT 4.0, the "ring
buffer" function works as expected. 

It traced my PC sending 1400 byte pings to every valid IP address on my
token ring to ensure that I could see "progress". I used 5 files @ 10KB per
file. After 25 x 10KB was captured I stopped the trace and checked the
files. The last 5 x 10KB of data have been captured with no packet loss and
contained all the packets I expected them to.

The only gotcha I found was that the timestamp of the capture files do not
change while the trace is going on.  Perhaps this was Christopher was
witnessing?

Alistair
> ----------------------------------------------------------------------
> Alistair McGlinchy,           alistair.mcglinchy@xxxxxxxxxxxxxxxxxxxxx
> Sizing and Performance, Central IT,   ext. 5012,   ph +44 20 7268-5012
> Marks and Spencer, 3 Longwalk Rd, Stockley Park, Uxbridge UB11 1AW, UK 
> 
> -----Original Message-----
> From:	Richard Urwin [SMTP:RUrwin@xxxxxxxxxxxxx]
> Sent:	Thursday, May 23, 2002 9:00 AM
> To:	ethereal-users@xxxxxxxxxxxx
> Subject:	RE: [Ethereal-users] frequent question and request for the
> develo pers
> 
> I configured the capture for 2 10K files called "fred."
> 
> Ethereal created a file called "fred". When that was full it created a
> file
> called "fred.001". When that was full I saw the file modified date on
> "fred"
> change as Ethereal went back to it, and when it was full I saw the date of
> "fred.001" change as it was refilled. This continued for some significant
> number of repetitions.
> 
> When I stopped the capture the files were renamed "fred_<date><time>".
> (Where <time> was slightly different for each file.)
> 
> The source code function ringbuf_switch_file increments the suffix number
> modulo the number of files. That modulo would be unnecessary if it
> intended
> to end the capture with the final file. It does not trigger any "end of
> capture" behavior that I could see.
> 
> -- 
> Richard Urwin, Software Design Engineer
> Schenck Test Automation
> Braemar Court, 1311b Melton Road, Syston, UK.
> rurwin@xxxxxxxxxxxxx
> 
> 
> 
> -----Original Message-----
> From: Eckert, Christopher [mailto:CEckert@xxxxxxxxxxxxxx]
> Sent: Wednesday, May 22, 2002 2:07 PM
> To: 'Richard Urwin'
> Subject: RE: [Ethereal-users] frequent question and request for the
> develo pers
> 
> 
> What does your do? Please understand, I want a wrapping buffer like I have
> in Sniffer but have read many times on the list that at the end of the
> last
> ring buffer it simply stops. I will gladly retract my statement and
> correct
> myself if I am wrong.
> 
> Do you see it starting over with the first file name? I am not big on
> reading source code. What does the source say it should do?
> 
> -----Original Message-----
> From: Richard Urwin [mailto:RUrwin@xxxxxxxxxxxxx]
> Sent: Wednesday, May 22, 2002 5:04 AM
> To: ethereal-users@xxxxxxxxxxxx
> Subject: RE: [Ethereal-users] frequent question and request for the
> develo pers
> 
> 
> > In Ethereal's Ring Buffer a number of files are specified with file
> sizes
> > and once the files are full the capture is finished.
> 
> This is not what the source code implies, and it is not what my copy of
> Ethereal does.
> 
> > It could be done by going back to the first buffer after
> > the last one was used
> 
> This behavior is implied by the source code, and exhibited by my copy of
> Ethereal.
> I am using 0.9.3 on WinNT 4.0 fully patched.
> 
> I have used 2 files of 10kbytes each, if I tried using 10 files of 10M it
> would take too long to fill them. Can you try my test on your system and
> see
> what happens? I enclose a screen grab of the capture dialog for
> comparison.
> 
> 
> -- 
> Richard Urwin, Software Design Engineer
> Schenck Test Automation
> Braemar Court, 1311b Melton Road, Syston, UK.
> rurwin@xxxxxxxxxxxxx
> 
> 
> 
> -----Original Message-----
> From: Eckert, Christopher [mailto:CEckert@xxxxxxxxxxxxxx]
> Sent: Monday, May 20, 2002 5:39 PM
> To: ethereal-users@xxxxxxxxxxxx
> Subject: [Ethereal-users] frequent question and request for the
> developers
> 
> 
> The ring buffer wrap question seems to come up a lot. What it seems people
> are asking for is a wrap buffer, one which, once it reaches the end of the
> buffer, it starts overwriting the beginning of the same buffer. That is
> common in Sniffer and other brands. It is not something Ethereal does as I
> understand it. 
> 
> In Ethereal's Ring Buffer a number of files are specified with file sizes
> and once the files are full the capture is finished. In other programs,
> lets
> use Sniffer as our example, a single buffer is wrapped. You can specify
> the
> size of this single buffer like you can with Ethereal's ring buffers but
> there is only one buffer file. when the maximum size of the file is
> reached
> Sniffer starts writing over the beginning of it. Once the end of the file
> is
> reached it again returns to the beginning of the file and so on and so
> forth.
> 
> Wrap buffers are handy if you need to leave an analyzer capturing until
> you
> have notification that a problem has occurred and then stop it. You simply
> adjust the wrap file size to accommodate the amount of time to be still
> stored in the buffer once you get notified. 
> 
> This is a common means of usage in the real world and would make Ethereal
> much more useable. It could be done by going back to the first buffer
> after
> the last one was used or by wrapping in the same file. Either way it would
> be easy enough to train the user population. It would also stop the same
> question from being asked over and over. Note that that should be taken as
> an indicator of the worlds desire for this option.
> 
> I have cross posted this to the developers and documentation lists in
> hopes
> of generating some clarification of this in the users guide and as a means
> of begging the developers for this option to be looked into.
> 
>  
> 
> -----Original Message-----
> From: pmarkham@xxxxxxxxxx [mailto:pmarkham@xxxxxxxxxx]
> Sent: Monday, May 20, 2002 9:41 AM
> To: ethereal-users@xxxxxxxxxxxx
> Subject: [Ethereal-users] Re: "ring mode" file size
> 
> 
> Without fully understanding the intent of your question, I assume you
> realize that 10000 kbytes is 10 megs of data per file?
> 
> As a consequence of careless reading, I first played with the filesize
> based
> on the premise that the units were bytes. File changes 
> do not take place rapidly when the data pipe is only a 56K dialup.... ;-) 
> 
> Peter
> 
> Karlheinz Mueller wrote:
> 
> > Is it possible that these 10 Files will be used as a kind "Ring Buffer".
> > If all 10 files are filled up, then Ethereal will start at the first
> > file again and overwrite.
>  
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> --------------------------------------------------------------------------
> --
> --
> This e-mail transmission may contain information that is proprietary,
> privileged and/or confidential and is intended exclusively for the
> person(s)
> to whom it is addressed. Any use, copying, retention or disclosure by any
> person other than the intended recipient or the intended recipient's
> designees is strictly prohibited. If you have received this message in
> error, please notify the sender immediately by return e-mail and delete
> all
> copies.
> 
> 
> ==========================================================================
> ==
> ==
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> _____________________________________________________________________
> This message has been checked for all known viruses by UUNET delivered 
> through the MessageLabs Virus Control Centre. For further information
> visit
> http://www.uk.uu.net/products/security/virus/
> 
> 
> 
> ________________________________________________________________________
> This email has been scanned for all viruses by the MessageLabs SkyScan
> service. For more information on a proactive anti-virus service working
> around the clock, around the globe, visit http://www.messagelabs.com
> ________________________________________________________________________
> 
> --------------------------------------------------------------------------
> --
> --
> This e-mail transmission may contain information that is proprietary,
> privileged and/or confidential and is intended exclusively for the
> person(s)
> to whom it is addressed. Any use, copying, retention or disclosure by any
> person other than the intended recipient or the intended recipient's
> designees is strictly prohibited. If you have received this message in
> error, please notify the sender immediately by return e-mail and delete
> all
> copies.
> 
> 
> ==========================================================================
> ==
> ==
> 
> 
> _____________________________________________________________________
> This message has been checked for all known viruses by UUNET delivered 
> through the MessageLabs Virus Control Centre. For further information
> visit
> http://www.uk.uu.net/products/security/virus/
> 
> ________________________________________________________________________
> This email has been scanned for all viruses by the MessageLabs SkyScan
> service. For more information on a proactive anti-virus service working
> around the clock, around the globe, visit http://www.messagelabs.com
> ________________________________________________________________________
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users


-----------------------------------------------------------------------


Registered Office:
Marks & Spencer p.l.c
Michael House, Baker Street,
London, W1U 8EP
Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422 
Facsimile (020) 7487 2670

www.marksandspencer.com

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.

The registered office of Marks and Spencer Financial Services Limited, Marks and Spencer Unit Trust Management Limited, Marks and Spencer Life Assurance Limited and Marks and Spencer Savings and Investments Limited is Kings Meadow, Chester, CH99 9FB.
Prev by Date: [Ethereal-users] using ethereal & tethereal 0.9.1 in HP-UX
Next by Date: Re: [Ethereal-users] Windows Icon Doesn't Look Right
Previous by thread: RE: [Ethereal-users] frequent question and request for the develo pers
Next by thread: [Ethereal-users] using ethereal & tethereal 0.9.1 in HP-UX
Index(es):
- Date
- Thread
Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark
Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark
Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application
$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$