Home page logo
/

wireshark logo Wireshark mailing list archives

Re: Memory consumption in tshark
From: Evan Huus <eapache () gmail com>
Date: Thu, 29 Aug 2013 21:35:48 -0400

On Thu, Aug 29, 2013 at 11:07 AM, Dario Lombardo <
dario.lombardo.ml () gmail com> wrote:

On Thu, Aug 29, 2013 at 4:35 PM, Evan Huus <eapache () gmail com> wrote:

Basically, but it's also more. If your capture contains a DNS packet
resolving a name in a certain way, and the system name resolver gives a
different answer, we prefer the DNS packet in the capture (since presumably
the capture was on some local network where that name resolves
differently). For this reason we can't just drop old cache entries unless
name resolution is disabled completely.


That's really interesting. This means that if a DNS packet with a fake
resolution is got, it can pollute the "cache".
I've triggered this behaviour in the attached pcap file. It appears that
I'm pinging google (in my svn wireshark), while actually I'm pinging a
private addres :).


I have checked in an option for this in revision 51584 which should also
solve your memory problem (or most of them). If you run that revision of
tshark with the flag: -o dns.use_for_addr_resolution:FALSE then you should
see substantially lower memory usage, (and your crafted capture won't
resolve the internal address as google either). I left it enabled by
default, since that was the existing behaviour, but I don't have a strong
opinion one way or the other.

Cheers,
Evan
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]