[Winpcap-users] Question about record to multiple files
Guy Harris
guy at alum.mit.edu
Sun Nov 13 14:39:18 PST 2011
On Nov 13, 2011, at 2:28 PM, Tal Attaly wrote:
> "take a look at how tcpdump/WinDump implement -C and -G. -C is implemented by checking the file size with pcap_dump_ftell(); "
>
> and then.. i should stop all the recording and start it mannualy again (and loose packets) or their is a way to 'split' the recordings file in a smarter way.
No, then you should close the file to which you're writing and open one. Yes, that means you're not recording packets during that time, but there is obviously no way to avoid that, unless you have two separate threads, one of which copies packets from WinPcap into a buffer in the program's memory and another one that writes from that buffer. That means more copying, which could make the problem worse, not better; there is some amount of buffering done in the WinPcap driver, and if that's sufficient to hold the packets that arrive while you're switching files, then theres no need for anything fancier.
More information about the Winpcap-users
mailing list