Ethereal-users: Re: [Ethereal-users] Ring buffer issue with tethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Sat, 26 Nov 2005 01:44:25 +0100
Cory Perry (SNL:434-951-7463) wrote:
I have run across and intersting issue with command line utility "Tetheral" when using (-b files:xxxx) ring buffers greater that 1024. (Used to keep a preset amount of historical data) The number of files saves never exceeds 1024. If I set value to 2000 or 5000, again only 1024 files are kept, first file written is deleted, but file number will increase to set value of -b files:xxxxxx. I have increased and decreased -a filesize:yyyyyy and -b files:xxxx (xxxx greater than 1024) Here is test command: tethereal -a filesize:1 -b files:2000 -w c:\temp\capture\test1.cap I am currently using the Windows version. tethereal 0.10.13 
Compiled with GLib 2.4.7, with WinPcap (version unknown), with libz 1.2.3,
with libpcre 6.3, with Net-SNMP 5.2.1.2, with ADNS.
Running with WinPcap version 3.1 (packet.dll version 3, 1, 0, 27), based on libp 
cap version 0.9[.x] on Windows XP Service Pack 2, build 2600.


Hi Cory!

Sorry for the late response, just being busy.
I can confirm this behaviour. The limit is currently 1024 max. files for the ring buffer feature.
The array to keep information about the ring buffer (e.g. all the file names) is allocated using g_malloc(), so increasing the maximum number will only increase the amount of memory used when such a huge number of files is really used.
So I don't see any technical reason for this limit being only 1024, probably the implementor did a quick estimate "more than 1000 files will never be used". Well, same as: "the year 2000 is more than 30 years in the future, so two digits to keep the year are just enough!" ;-)
It might simply be a prevention to not use a very (unreasonable) huge amount of files e.g. "12345678" as Ethereal will crash if it cannot get the memory for all this (each entry will typically take 100-200 bytes, or even more, depending on the length of the filename incl. full path).
Raising the max. number of ringbuffer files to 10000 might be a good idea. It won't hurd any of us and should help you in your project. 

Regards, ULFL
P.S: Another bug is that tethereal should complain about the huge number of files instead of simply reducing the actual number. This makes it hard to find the real limit (and also that there's a limit at all).