Lately, I've run into a few intermittent issues (HTTP-level anomalies, mostly) on my Windows XP SP2 machine that I could probably solve, if only I had a Wireshark trace file. Unfortunately, the problems happen maybe once a week. So capturing it is like the old joke: "To get to Times Square, watch me, and get off the subway one stop before I do."
As far as I can tell from searching the forum, there's no good way to keep Wireshark up and running and capturing to an in-memory circular buffer, so that when I hit a problem, I can go back in time a few minutes, and say "Ah hah! Here's the trace for that!" I know Wireshark has a ring buffer mode, but that still writes every byte to disk, which seems like a good way to raise my blood pressure as my entire online experience slows down for the next month. From what I've seen, the best I could do is set Wireshark up to use ring-buffer files, and set those files up to be on a RAMdisk (if such a thing even still exists for Windows), so although we're still going through all the file-I/O semantics, we're not actually touching a disk spindle. But there's no way to set up a true, lightweight ring/circular buffer, which would just be a memcpy of the Ethernet packets, and then, when I actually care, trigger a "hey! NOW I'm interested in that data" function. I'm thinking of something like commercial audio recording packages, which often include a "pre-record" feature. The mics are always on and recording, and if you then press Record, you'll get the previous minute of audio inserted after-the-fact, as well as everything from that moment forward. It's the "oops I wish I had been recording" feature. So is the RAMdisk/ring-buffer solution the best approximation of that? Or is there another way to do this, either with Wireshark or another tool (either free or commercial but not enterprise-priced)? Jay Levitt _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
