[Winpcap-users] Question about record to multiple files
Tal Attaly
tal.attaly at gmail.com
Sat Jan 14 12:45:23 PST 2012
You right. what i did was closing only the file (not the session) and
immediately open a new one. I tested it by recording with my application
and Wireshark at the same time, and then i checked that there is no packets
in the wireshark recording between the last packet of my first file and the
first packet of my second file. I also set winpcap buffer to 16MB, just in
case...
Thanks for the help!
2011/11/14 Guy Harris <guy at alum.mit.edu>
>
> On Nov 13, 2011, at 2:28 PM, Tal Attaly wrote:
>
> > "take a look at how tcpdump/WinDump implement -C and -G. -C is
> implemented by checking the file size with pcap_dump_ftell(); "
> >
> > and then.. i should stop all the recording and start it mannualy again
> (and loose packets) or their is a way to 'split' the recordings file in a
> smarter way.
>
> No, then you should close the file to which you're writing and open one.
> Yes, that means you're not recording packets during that time, but there
> is obviously no way to avoid that, unless you have two separate threads,
> one of which copies packets from WinPcap into a buffer in the program's
> memory and another one that writes from that buffer. That means more
> copying, which could make the problem worse, not better; there is some
> amount of buffering done in the WinPcap driver, and if that's sufficient to
> hold the packets that arrive while you're switching files, then theres no
> need for anything fancier.
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20120114/89eda491/attachment.html>
More information about the Winpcap-users
mailing list