Ethereal-dev: [Ethereal-dev] Re: [Ethereal-users] Questions on using ethereal / tethereal
I'll take a stab at answering some of these:
Heilmaier, Alois wrote:
Hello,
I use following Version of tethereal:
(tethereal -v
tethereal 0.9.11, with GLib 1.3.2, with libpcap (version unknown), with libz
1.1.4, with Net-SNMP 5.0.6, running on Windows NT 4.0 Service Pack 5, build
1381)
I have some questions on tethereal / ethereal:
1.) Why is ethereal / tethereal not capable to capture more than 10
tracefiles in ringbuffer mode ?
Very good question. I've asked before but never really found an
explanation. 10 is an arbitrarily set limit, and I don't know why it's
so low. It's also limited by "FOPEN_MAX", which appears to be 16 in
Linux but doesn't appear to have any relation to the maximum number of
fopen()s allowed. Personally, I've removed these limitations (and set a
fixed max of 1000 files), and not noticed any side-effects under Win2K,
WinXP, and Linux.
I know that there was discussion of changing/removing these limitations
about a year and a half ago. As far as I know the discussion just went
away. Perhaps now is a good time to revisit the issue?
Incidentally, does anyone reading this message know who contributed this
section of code?
2.) When I capture in ringbuffer mode (e.g. tethereal -a filesize:2000 -b 7
-w outfile) I get only one tracefile when I stop
the capture (with CTRL + C Buttons).
How can I get the files all separated e.g outfile_00, outfile_01, ...,
outfile_n ? (such separate outfiles are listet in
the capturedirectory when the capture is running)
This is because I want to capture a high volume of traffic e.g. traffic
of a whole day. If will be capable to set the
file numbers to 1000 and filesize to 32 Mbyte so I would be
able to do such long captures.
I'm very confused, perhaps I don't understand your problem. If you're
running something like "tethereal -a filesize:2000 -b 7 -w test.cap",
you should generate multiple files with unique names if you receive more
than 2MB of data before you stop the capture. When you do this, are you
just getting one large file that's LARGER than 2MB?
I had some weird problems with Ethereal stopping capture prematurely if
I used a very large (and in some cases very specific) value for
filesize. Perhaps you're seeing something like that? (However, testing
the command I gave above with 0.9.13 and libpcap 3.0 on Win2k worked
just fine for me. Perhaps something with NT4?).
3.) Is it able to limit the capturefiles in tethereal with an packetcount
option like in Ethereal (Capture linits > stop
capture after "n" packet(s) captured ?)
No, I don't believe so. You can only autostop (or wrap files in
ringbuffer mode) based on file size or elapsed time.
4.) Why is the packetcount option to limit a capture in ethereal but not in
tethereal ? I thought all such "global" options
would be the same in ethereal and in tethereal.
No idea, though I suspect the reason is going to be something like "no
one ever implemented it". (Personally, when capturing for extended
periods of time I tend to be more interested in limiting captures by
size so I can predict how much space they will take up (so I can
maximize disk utilization) rather than how many frames are in each
trace (presumably because I want to make sure that the traces are
managable when performing analysis - instead I split and rearrange
traces post-capture using scripts or a GUI front-end for
editcap/mergecap that I wrote))