mailing list archives
Re: Memory consumption in tshark
From: Jakub Zawadzki <darkjames-ws () darkjames pl>
Date: Wed, 28 Aug 2013 08:42:48 +0200
On Tue, Aug 27, 2013 at 04:37:27PM -0400, Evan Huus wrote:
We already discard a great deal of state in (single-pass) tshark that we
keep around in Wireshark (or two-pass tshark).
Really? I'm not so sure about that 'great deal' I think right now
we are only freeing protocol frame data list.
I dislike the idea of two-pass by default for exactly this reason: people
expect tshark to be relatively state-less. This is already not the case,
but it's a lot worse in two-pass mode. It might even make sense to add a
--state-less flag to tshark that disables all options which require state.
I don't know how feasible that would be however.
If they want state-less they should probably use tcpdump.
To be honest I don't like option --state-less (it'd be really hard to find),
I'd rather make single pass really state-less (if that's what user expect).
And if user want to do pro dissection -2 must be used anyway.
Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org>
mailto:wireshark-dev-request () wireshark org?subject=unsubscribe