mailing list archives
Re: Memory consumption in tshark
From: Dario Lombardo <dario.lombardo.ml () gmail com>
Date: Wed, 28 Aug 2013 09:24:35 +0200
On Tue, Aug 27, 2013 at 10:38 PM, Evan Huus <eapache () gmail com> wrote:
We already discard a great deal of state in (single-pass) tshark that we
keep around in Wireshark (or two-pass tshark). We do need to keep some,
though. It's only a bug if we're keeping more than we actually need, and
that's not determinable from the information we have here. Dario, if you
could get us a memory profile of tshark in this situation (through
valgrind's massif tool, for example) that would help us debug further.
For sure. But I'd need exactly the commands to run and what I should give
I dislike the idea of two-pass by default for exactly this reason: people
expect tshark to be relatively state-less. This is already not the case,
but it's a lot worse in two-pass mode. It might even make sense to add a
--state-less flag to tshark that disables all options which require state.
I don't know how feasible that would be however.
FYI, 10G file is a giant DNS capture. Maybe the state kept in the queries
(for conversations creation) triggers the memory consumption.
Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org>
mailto:wireshark-dev-request () wireshark org?subject=unsubscribe