Force a process in Windows 7 to store capture in RAM without doing actual I/O operation and writing to the disk

I'm Using Wireshark's cyclic buffers configuration capturing mode:

I am sniffing a 10Gig port, and I was expecting Wireshark to work cyclically with buffers on the DDR only, but apparently it doesn't. Wireshak accesses the DISK constantly. The disk is a T500DM002 500GB 7200 RPM which can't handle 10Gig traffic, even an SSD can't handle it.

Here is a snapshot of Process Explorer when the traffic is hardly 0.1% of the maximal 10Gig:

Is there any method to force Wireshark/Dumpcap/Tshark/Whatever to work only with DDR allocated cyclical 100MB buffers?

0x90

Posted 2015-11-08T18:33:14.667

Reputation: 170

2You may be able to install software that exposes some of your ram as a ramdisk, and place the wireshark temporary capture file on that disk, to see if it gives the correct speed – Ferrybig – 2015-11-08T21:54:21.647

@ferrybig would you give a quick outline for creating a ramdisk in Win7 ? – moonbutt74 – 2015-11-08T22:16:23.317

Answers

If by "DDR" you mean Double Data Rate RAM, rather than, for example, Deutsche Demokratische Republik or Dance Dance Revolution, Wireshark captures to a file, not to memory, and has no facility for capturing to memory.

You would have to ask for an enhancement to Wireshark to support that. (It would be a significant change, not something the developers could quickly do.)

An alternative would be to find some ramdisk software for Windows, install it, and tell Wireshark to capture to ring buffers stored on the ramdisk.

user164970

Posted 2015-11-08T18:33:14.667

Reputation:

The solution I came up with is:

Allocate a 1GB RamDisk with imdisk. You may use CrystalDiskMark to verify the IO works at the desired data rate.

0x90

Posted 2015-11-08T18:33:14.667

Reputation: 170