Wireshark-users: [Wireshark-users] Continuous/circular in-memory tracing?
Lately, I've run into a few intermittent issues (HTTP-level anomalies,
mostly) on my Windows XP SP2 machine that I could probably solve, if
only I had a Wireshark trace file. Unfortunately, the problems happen
maybe once a week. So capturing it is like the old joke: "To get to
Times Square, watch me, and get off the subway one stop before I do."
As far as I can tell from searching the forum, there's no good way to
keep Wireshark up and running and capturing to an in-memory circular
buffer, so that when I hit a problem, I can go back in time a few
minutes, and say "Ah hah! Here's the trace for that!" I know Wireshark
has a ring buffer mode, but that still writes every byte to disk, which
seems like a good way to raise my blood pressure as my entire online
experience slows down for the next month.
From what I've seen, the best I could do is set Wireshark up to use
ring-buffer files, and set those files up to be on a RAMdisk (if such a
thing even still exists for Windows), so although we're still going
through all the file-I/O semantics, we're not actually touching a disk
spindle. But there's no way to set up a true, lightweight ring/circular
buffer, which would just be a memcpy of the Ethernet packets, and then,
when I actually care, trigger a "hey! NOW I'm interested in that data"
function.
I'm thinking of something like commercial audio recording packages,
which often include a "pre-record" feature. The mics are always on and
recording, and if you then press Record, you'll get the previous minute
of audio inserted after-the-fact, as well as everything from that moment
forward. It's the "oops I wish I had been recording" feature.
So is the RAMdisk/ring-buffer solution the best approximation of that?
Or is there another way to do this, either with Wireshark or another
tool (either free or commercial but not enterprise-priced)?
Jay Levitt
