Wireshark-dev: Re: [Wireshark-dev] tshark: drop features "dump to stdout" and "read filter" - c
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Fri, 12 Oct 2007 10:34:09 -0400


Jim Young wrote:
Hello All,

Ulf Lamping <ulf.lamping@xxxxxx> 10/10/07 11:29 AM >>>
The "temporary file model" is working in Wiresharks "update list of packets" mode for quite a while and is working ok.

When doing a "live capture" in Wireshark on Windows platforms I've really come to depend on dumpcap to create and write the temporary trace files (the $TEMP/etherXXXX* files).

With the current "temporary file model" by the time Wireshark sees the data dumpcap has already committed the packets to disk.

We've had several occasions where Wireshark crashed while in the middle of a "live capture". With dumpcap building the actual trace files, I was able to open the orphaned etherXXXX* files and recover the trace
data.  In some cases I was able to determine that
a specific packet or set of packets triggered the initial Wireshark crash.

This "should" have been the case before *shark started using dumpcap, too. The FAQ (http://www.wireshark.org/faq.html#q7.12) has said (for a long time, I think):

Also, if at all possible, please send a copy of the capture file that caused the problem; when capturing packets, Wireshark normally writes captured packets to a temporary file, which will probably be in /tmp or /var/tmp on UNIX-flavored OSes, \TEMP on the main system disk
[...]

though I admit I never had to test the theory as I don't think Wireshark ever crashed on me during a live capture.