Wireshark-users: Re: [Wireshark-users] why is it so difficult to stop capturing with wireshark 1.
On Sep 24, 2012, at 7:46 AM, bart sikkes <b.sikkes@xxxxxxxxx> wrote:
> does this happen when you are capturing a under high traffic load? i
> have had the same experience with windows systems when the traffic
> load was very high.
The problem is that, during a capture being updated in real time:
dumpcap writes packets to the capture file, and, for each burst of packets it writes, sends Wireshark a message saying "I've written N more packets to the file";
Wireshark reads those messages as they arrive, reads in N more packets, and updates the display;
and when you click the stop button, dumpcap may stop capturing and writing packets, but, if the traffic has been arriving faster than Wireshark can display it, there may be a significant backlog of packets for Wireshark to read even if no more are being written to the file.
This is bug 5892:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5892
We could perhaps have Wireshark, once it's told dumpcap to stop capturing, quickly read and ignore all subsequent "N more packets have been written" messages, *and* set internal state so that attempting to save the capture will *not* be done by moving or copying the raw capture file, so that only the packets Wireshark read will be saved. I added a note about the latter of those to the bug.
> it might be an option to capture via tcpdump
Or dumpcap.