Hi Guy, > On Wed, Jan 29, 2003 at 11:12:08PM +0000, [EMAIL PROTECTED] wrote: > > ...Unless you're trying to capture data rates higher than 100mbps, or > > from media other than Ethernet, in which case Sniffer is useless for > > long-term capture. > > Why is 10/100Mb Ethernet special there? They do have gigabit Sniffers > and Sniffers do support other media.
Yes, but we're talking about extended captures here. For example, Sniffer products support Gigabit Ethernet capture in one of two ways: - Capture to buffers on a proprietary card up to 144MB (72MB per channel), where there is currently still no possible way to save a full buffer to disk and restart capture (which would be horrible anyway, since it takes 10-50 times longer to pull the data off of the card than to capture it). This is the model for the majority of their current-sold Gigabit products. - Capture with a probe that has up to 512MB buffer (I believe), and can attempt to stream some of the data to a "console" PC over a 100Mbps FE link. This at least allows you to attempt to capture for extended periods, but it's rare that it can handle more than about 60Mbps/s of sustained traffic. Between the two, the second would obviously be preferable, but if you're not looking for physical errors and not worried about the very slight packet arrival time differences, you might as well SPAN the gigabit port you're monitoring to an FE port, and save-to-disk more reliably at up to 100Mbps (though very "bursty" traffic won't be handled quite as well). All of Sniffer's solutions for other media types, to my knowledge, use one of the two above approaches as well. > > > Do you know if there was a reason why the ring buffer was designed to > > hold all files open at the same time? Or was it simpler to design that > > way, and eventually it was assumed that someone would implement > > something more robust? > > I wasn't the creator of that code; I don't know why its creators made > the design decisions that they did. Perhaps I should re-ask on Ethereal-dev? =)
