Wireshark-users: Re: [Wireshark-users] why is it so difficult to stop capturing with wireshark 1.
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 24 Sep 2012 14:11:24 -0700
On Sep 24, 2012, at 7:46 AM, bart sikkes <b.sikkes@xxxxxxxxx> wrote:

> does this happen when you are capturing a under high traffic load? i
> have had the same experience with windows systems when the traffic
> load was very high.

The problem is that, during a capture being updated in real time:

	dumpcap writes packets to the capture file, and, for each burst of packets it writes, sends Wireshark a message saying "I've written N more packets to the file";

	Wireshark reads those messages as they arrive, reads in N more packets, and updates the display;

and when you click the stop button, dumpcap may stop capturing and writing packets, but, if the traffic has been arriving faster than Wireshark can display it, there may be a significant backlog of packets for Wireshark to read even if no more are being written to the file.

This is bug 5892:

	https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5892

We could perhaps have Wireshark, once it's told dumpcap to stop capturing, quickly read and ignore all subsequent "N more packets have been written" messages, *and* set internal state so that attempting to save the capture will *not* be done by moving or copying the raw capture file, so that only the packets Wireshark read will be saved.  I added a note about the latter of those to the bug.

> it might be an option to capture via tcpdump

Or dumpcap.