Automatic Flushing in RawCap
The “-f” switch can now be used to force RawCap to immediately flush sniffed packets to disk.
I've received multiple emails from RawCap users who run into problems when they want to look at a pcap file from RawCap without terminating the program. What usually happens in this case is that the output pcap file will be empty until they terminate RawCap with “Ctrl-C”. The reason for this is that RawCap has a 1MB data buffer, which is used in order to maximize performance by reducing unnecessary disk operations. RawCap will therefore not write any data to disk until it is terminated or has filled the buffer with 1MB of network traffic.
We've now released a new version (1.4.0.0) of RawCap in order to solve the needs of these users. The new version supports WriteThrough, which forces the data to be written directly to disk without being buffered. The automatic flushing functionality is enabled by supplying the “-f” switch from the command line when launching RawCap.
There is, however, one downside with the new version of RawCap; the size of RawCap.exe has increased from 17kB to 18kB. Sorry for that fellow minimalists... ;)
Here is an example command showing how to sniff traffic from localhost with automatic flushing (i.e. no buffer):
RawCap.exe -f 127.0.0.1 LiveLoopback.pcap
Happy live sniffing!
Posted by Erik Hjelmvik on Sunday, 23 October 2011 16:24:00 (UTC/GMT)
