capture.bin

Discussion in 'Port Explorer' started by Hank, Jan 12, 2003.

Thread Status:
Not open for further replies.
  1. Hank

    Hank Registered Member

    Joined:
    Jan 8, 2003
    Posts:
    31
    Location:
    good old europe
    Hi folks,

    I cannot say wether this message is perhaps only for dummies like me :D
    but if anybody else asks himself why does the socket spy.......

    Well,being (very) curious testing the PE-socketspy I enabled "spying"
    for several sockets (äh yes-at the same time :rolleyes: and wanted after a while
    observe the packetdata.

    My CPU began burning (100%) and the socket-spy froze every time I wanted
    to see the data.
    First idea was that it does not work.My O&O Defrag started and I could see
    strong fragmentation on partition C:\
    Using the cluster-inspector I saw which part was strong fragmented:
    the PE-file.
    I opened it and saw that the capture.bin was grown up to 350 mb.Guess
    that was a little bit to much to read for the socket-spy :rolleyes:

    So if anybodies socket-spy frozes perhaps have a look at the capture.bin
    Deleting is no problem - there will always be created a new one.

    -Hank-
     
  2. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    If you were to take a look at the amazing amount of data that goes back and forth, you would quickly understand why you would not want to run a capture on more than one or two processes for very long. If you are curious, you can get this neat little freeware tool called TDIMon to see what I mean.

    http://www.sysinternals.com/ntw2k/freeware/tdimon.shtml

    Off Topic -- I just dl O&O Defrag last night to try. What's your opinion?

    Phil
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yes that TDImon gives a quick impression, but i love the details and lots of other tools in PE.
    Good warning to look at the capture.bin size, thanks for that.
     
  4. Hank

    Hank Registered Member

    Joined:
    Jan 8, 2003
    Posts:
    31
    Location:
    good old europe
    Hi Phil,

    in comparison to other tools I tried out this is really the best one.You have
    a little bit - like always - to play with ,which means which configuration is
    the best for your system (depends on the data /access / changing)
    But no question: much better than the defrag-conole in W2k.

    Concerning TDImon: Thanks for the hint,but (always visiting wilders.org)
    I installed it log time ago under WIN98.System-Crash and that it was it for
    me.Something went wrong but in this case I did not want to find out why....

    It's late here in europe -I go to bed.............
    -Hank-

    P.S.: further off-topic: are you interested in a tornado-deluxe-harddrive ?
    Go to : http://www.wdc.com/products/products.asp?DriveID=32

    I had IBM,Maxtor,Barracuda on my system.This harddrive above (special edition /
    8 MB cache) turns you on I promise....

    -Hank-
     
  5. Hank

    Hank Registered Member

    Joined:
    Jan 8, 2003
    Posts:
    31
    Location:
    good old europe
    Hi Jooske,

    wouldn't it make sense to set a "natural" limit in PE for the size of
    the capture.bin - I mean f.e. like in some firewalls for the logfiles.
    If the socket spy frozes because the data is to much to open it .....
    And who knows -perhaps except of Jason o_O-where exactly the limit is
    before it frozes ?
    Or something like an alert to remove the spylist ("too much data-alert") ?

    -Hank-
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Or at next occasion start clean again overwriting the last; but a limit should be practicle and if not possible, a button for cleaning like for cleaning caches in a browser.
    I'm sure Jason will look into this matter. Did not see the max. size in the helpfile, but file formats and some programming languages commands to include it in own functions.

    Long ago i had problems with TDImon too, don't remember exactly if it caused system crashes too, but it might have had to do with required system files which by now after all those recent updates and patches might fit better with the software, maybe additional files from the new virtual machine, all is possible.
     
  7. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    There is no limit on capture.bin size currently. Of course if you have 350MB of data it will appear to "freeze" socket spy as it has to process all that information in it. If you have a lot of ram it shouldn't be a problem.

    Usually the best method is to socket spy on an application or two, then when your finished either copy capture.bin to a backup directory and rename it to whatever you captured, like "Internetexplorer_capture.bin", or just remove all the data using the remove packets button in Socket Spy for a clean slate.
    -Jason-
     
  8. Hank

    Hank Registered Member

    Joined:
    Jan 8, 2003
    Posts:
    31
    Location:
    good old europe
    In fact we never can get "enough" - or ? :D
    In my case I have 512mb ram -regarding your answer this must
    be a small size because "mr.Freeze" came in.......

    -Hank-
     
  9. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Well doing some math, if your hard drive can read that file at 10MB/second average, then it would of taken 35 seconds to process it all, if it did fit in your ram :) Soon as it starts to thrash out to disk you can probably double that time. I didn't really design Socket Spy to handle 100's of megabytes of data at once and hence I didnt use a more sophisticated Hex Workshop approach to the data due to time constraints.

    Even so, when we are talking 350MB on even today's machines it is a LOT of data to crunch regardless ;)
    -Jason-
     
  10. ironwalker

    ironwalker Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    11
    hmm 3minutes for my spy ifo to show ...finally!
    turns out it was 2gigs in size :eek:
    my bad,now i understand how it works,going to defrag now;)

    oh ya i deleted capture.bin by accident,will the program make another or do i have to reinstall? o_O
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Ironwalker,
    nothing to worry, there will be made a new capture.bin when needed: deleting or renaming to save like Jason said above would have the same effect, you can also empty the bin with the "remove" buttons.
    Hoped it would do automatically, wipe out the old content at a next spy occasion but seems not, so it can really grow.
     
  12. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Ironwalker, woah, did you socket spy on some file transfer or something? :) As Jooske said you can delete capture.bin whenever you want to remove it, or just click the Remove button in the Socket Spy utility, they both have the same effect.

    What I usually do is socket spy on one application im interested in and after its finished I rename that capture.bin to spy_applicationname.bin so if I need it later I can just rename it to capture.bin and view it in the Socket Spy utility.
    -Jason-
     
Thread Status:
Not open for further replies.