On Tue, Aug 27, 2013 at 04:38:08PM -0400, Evan Huus wrote:
> We already discard a great deal of state in (single-pass) tshark that we
> keep around in Wireshark (or two-pass tshark). We do need to keep some,
> though. It's only a bug if we're keeping more than we actually need, and
> that's not determinable from the information we have here. Dario, if you
> could get us a memory profile of tshark in this situation (through
> valgrind's massif tool, for example) that would help us debug further.
>
> I dislike the idea of two-pass by default for exactly this reason: people
> expect tshark to be relatively state-less. This is already not the case,
> but it's a lot worse in two-pass mode. It might even make sense to add a
> --state-less flag to tshark that disables all options which require state.
> I don't know how feasible that would be however.
IIRC, two-pass allows for most/all of the reassembly/request-response stuff,
which we want to do sometimes. Any ideas why we have to keep some information
indefinitely?
ciao
jörg
--
Joerg Mayer <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
