Wireshark-dev: [Wireshark-dev] [SOLVED] Re: How could Wireshark write / read the pcap file simu
Thanks Guy
On Wed, Apr 2, 2014 at 2:01 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On Apr 1, 2014, at 10:52 PM, Aaron Lewis <the.warl0ck.1989@xxxxxxxxx> wrote:
>
>> From what I know, it seems like dumpcap listens for traffic and record
>> everything
>> And the wireshark GUI read and parse that file. (Usually a file located in /tmp)
>>
>> But,
>> 1) how did wireshark know there's a new packet?
>
> Dumpcap tells it. There's a pipe between dumpcap and Wireshark/TShark, and every time a batch of packets is written to the file by dumpcap, it also writes a message to the pipe saying that N more packets have been written to the file.
>
>> 2) what happens if /tmp is full?
>
> Dumpcap gets a "no space left on disk" error and reports it to Wireshark/TShark over the pipe. (The same thing happens with I/O errors, "you exceeded your disc quota" errors and so on.)
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
