Torres, Javier wrote:
I had a question on the timing of how wireshark/tshark writes to disk.
I have some data streams I need to capture, comes out to about 6gig of
data per day. I need to make sure I don’t drop any info from the box
and my fear is the time it takes to write to disk.
Does Wireshark/Tshark put the sequence number on the packet before it
writes to disk?
To which sequence number are you referring?
TCP, and other protocol, sequence numbers are part of the packet data it
writes to disk; Wireshark/Tshark doesn't set that.
The sequence number that appears, by default, in the first column of the
Wireshark display is not in the capture file; the Nth packet in the file
has N as its sequence number.
Any packet dropping when capturing is done before Wireshark/Tshark sees
the packet, so the only way Wireshark/Tshark can even know packets have
been dropped is if the capture mechanism lets it get dropped-packet
counts from libpcap/WinPcap. Wireshark will display that number on a
live capture, and Tshark will write "N packets dropped" to the standard
error when it terminates if N is non-zero. That number isn't saved in a
capture file, however (libpcap format has no place to put it).
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
