Wireshark-dev: Re: [Wireshark-dev] [Wireshark-users] tshark or dumpcap ring buffer limitations
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Tue, 25 May 2010 17:17:33 -0400
Jeff Morriss wrote:
Gerald Combs wrote:
Jaap Keuter wrote:
On Thu, 20 May 2010 12:05:09 -0400, Jeff Morriss
This appeared in rev 7912 and it appears that the max # of files limit was there originally because *ethereal kept the old files open so we would (prior to that commit) run out of fds.

Any reason not to just take this constant out and let users specify any number?
Any number would mean an array of keeping names of that size as well. And
it's some sort of self protection, since not all file systems handle a
kazillion files well. But what an appropriate limit would be, who knows?

We don't actually store all those files names, just an incrementing variable.

Oops, I was wrong about that: we do store the file names.  <sigh>

I think a value of 50000 or 65535 would make sense for
RINGBUFFER_MAX_NUM_FILES. We could also just print a warning like "Wow!
That's a lot of files!" instead of forcibly capping the value.

I would think that if we continue to support files:0 (unlimited files) then it makes more sense to just put out a warning. That would be better than forcing them to choose between unlimited (and possibly running out of disk space) and N files (which, as in this users case, wasn't enough).

Well, maybe not since we have to store all those file names...