Ethereal-users: [Ethereal-users] Packet capture halts.
Hey all,
I have a problem where packet captures will halt after a few seconds of
capturing. Using capture filters only means I get fewer packets, not a
longer "capture lifetime". I'm capturing on a 100Mb segment that is pretty
much 100% utilized (20000+ pps), under Linux kernel 2.2.17 with two rtl8139
cards, 1GHz Pentium III, 512MB RAM. Capture on eth1, ssh session into eth0
(ethereal gets piped to Linux console over ssh tunnel). Also using libpcap
0.5.2.
I'm upgrading to kernel 2.4.1, libpcap 0.6.2 (or whatever the latest is),
and ethereal 0.8.15 (using a post-0.8.14 nightly build currently) tomorrow,
starting with the kernel, of course.
But in general, I wanted to know if anyone had come across a problem like
this, and what s/he did to solve it. Is there a way to capture (reliably)
on a link running this much traffic?
Note: Ethereal does not die or lock up, it just stops capturing packets.
If I click Stop, it decodes fine, everything works normally, and I can run
subsequent captures, but I can't run certain captures as long as I'd like
(tcp[13] & 9 = 9 and src net xxx.xxx.196.0 mask 255.255.254.0). I *could*
run a capture like that for quite a while before I got enough packets to
worry about memory usage or disk space, but the capture always dies well
before I even reach 1000 packets (post-filter).
Ideas?
Later...
Justin McNutt
Mizzou Telecom - A Unit of IATS
(573) 882-5183
Attempting to make a living at legitimate computing...
