Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Tshark0994 memory question

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 13 Jan 2007 12:03:07 -0800
rmkml wrote:

Im use tshark v0.99.4 on linux kernel2619 and libc232
and I have memory question,
when I start tshark (with -ta -ni eth0), I download iso (~700Mo) for example, tshark alloc ~220Mo, but never freeing memory (same alloc after ten minutes after download), why tshark not freeing memory ?

Because it doesn't know it won't need it any more.

The exact same code (the exact same *binary* code) is used for Wireshark and TShark dissectors.

In Wireshark, various data structures maintained by dissectors are kept around as long as a capture file is open, as they might be needed in order to re-dissect particular packets. Even in TShark, a data structure might be needed to dissect packets later in a capture. (tcpdump, by default, also keeps some data structures around - a per-TCP-connection data structure, so it can print relative sequence numbers.)

The biggest consumer of memory is packet reassembly; for that, it could conceivably release the memory once the reassembled data is fully processed, but there's currently no way for the reassembly code to know that the reassembled data won't be used in the future, as would be the case in Wireshark. That might be added at some point. (If Wireshark could be assured that fast random access to capture files is possible, it could re-read the packet fragments if, after the first pass through the packet data, a reassembled packet is needed.)