Home page logo

wireshark logo Wireshark mailing list archives

Re: Memory consumption in tshark
From: Jakub Zawadzki <darkjames-ws () darkjames pl>
Date: Wed, 28 Aug 2013 08:42:48 +0200

On Tue, Aug 27, 2013 at 04:37:27PM -0400, Evan Huus wrote:
We already discard a great deal of state in (single-pass) tshark that we
keep around in Wireshark (or two-pass tshark). 

Really? I'm not so sure about that 'great deal' I think right now 
we are only freeing protocol frame data list.

I dislike the idea of two-pass by default for exactly this reason: people
expect tshark to be relatively state-less. This is already not the case,
but it's a lot worse in two-pass mode. It might even make sense to add a
--state-less flag to tshark that disables all options which require state.
I don't know how feasible that would be however.

If they want state-less they should probably use tcpdump.

To be honest I don't like option --state-less (it'd be really hard to find),
I'd rather make single pass really state-less (if that's what user expect).
And if user want to do pro dissection -2 must be used anyway.
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]