I ran a test with and without options on a 600Mo capture file: the
result is the same, tshark takes 400Mo of memory. Is it normal ?
On Fri, Feb 29, 2008 at 12:31 PM, Edouard Funke <korlaz@xxxxxxxxx> wrote:
> Thanks for all the information, i will try these options and see if
> there is no more memory problem.
>
> For now our plugins do not use reassembly but it is feature that we
> might want to implement soon. We might face the same problems then, a
> quick fix would be to split capture files but as we are trying to
> "follow" streams it is still a problem.
>
>
>
> On Fri, Feb 29, 2008 at 12:14 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
> > Edouard Funke wrote:
> > > The same issue happens with "normal" tcp trafic without any custom
> > > plugin activated.
> > > How can i deactivate reassembly in this case ?
> >
> > Try adding the command line flag
> >
> > -o tcp.desegment_tcp_streams:false
> >
> > which will turn off reassembly for protocols running over TCP. You
> > could also try
> >
> > -o ip.defragment:false -o ipv6.defragment:false
> >
> > to turn off reassembly of fragmented IPv4 and IPv6 datagrams.
> >
> >
> > > How different would be my output ?
> >
> > If the traffic is, for example, HTTP or SMB, it could be quite
> > different, as large HTTP replies, and SMB write requests and read
> > replies, are some examples of PDUs that would be split across TCP
> > segment boundaries.
> >
> >
> > _______________________________________________
> > Wireshark-dev mailing list
> > Wireshark-dev@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> >
>
