Home page logo
/

wireshark logo Wireshark mailing list archives

Re: Memory consumption in tshark
From: Dario Lombardo <dario.lombardo.ml () gmail com>
Date: Wed, 28 Aug 2013 09:24:35 +0200

On Tue, Aug 27, 2013 at 10:38 PM, Evan Huus <eapache () gmail com> wrote:

We already discard a great deal of state in (single-pass) tshark that we
keep around in Wireshark (or two-pass tshark). We do need to keep some,
though. It's only a bug if we're keeping more than we actually need, and
that's not determinable from the information we have here. Dario, if you
could get us a memory profile of tshark in this situation (through
valgrind's massif tool, for example) that would help us debug further.


For sure. But I'd need exactly the commands to run and what I should give
you back.



I dislike the idea of two-pass by default for exactly this reason: people
expect tshark to be relatively state-less. This is already not the case,
but it's a lot worse in two-pass mode. It might even make sense to add a
--state-less flag to tshark that disables all options which require state.
I don't know how feasible that would be however.

Evan


FYI, 10G file is a giant DNS capture. Maybe the state kept in the queries
(for conversations creation) triggers the memory consumption.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault