We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-dev: Re: [Wireshark-dev] Limiting amount of memory used to analyze TCP (HTTP) traffic

From: Evan Huus <[email protected]>
Date: Thu, 25 Feb 2016 18:14:39 -0500
Another article worth reading is

It doesn't solve your problem, but it contains some good information
on surrounding issues.


On Thu, Feb 25, 2016 at 5:58 PM, Jeff Morriss <[email protected]> wrote:
> On Thu, Feb 25, 2016 at 4:53 PM, Vitaly Repin <[email protected]>
> wrote:
>> Hello,
>> I am trying to understand how the Wireshark TCP dissector utilizes memory.
> That's a good place to start but there's a lot of other stuff in Wireshark
> that will use a lot of memory as time goes by.
> On the off chance you haven't read it (at least a dozen times :-)) already:
> Wireshark's generally not the best tool for doing long-term analysis for
> exactly this reason (memory usage).
> At one point I was quite interested in adding some kind of memory profiling
> into Wireshark so we could see exactly where the memory was used at any
> given point in time (e.g., frame_data's are using 20 Mbytes, TCP
> reassembly's using 100 Mbytes, etc.) but I never came up with something
> good.
>> Then I have taken a look into  tcpd->acked_table.  According to the
>> comment it "contains a tree containing all the various ta's keyed by
>> frame number".
>> I see that this list monothonically grows during the analysis. It is
>> expected behavior?
> Assuming that 1) your TCP segments are being ACK'd and 2) you have TCP
> sequence analysis enabled (it is by default) then yes, it is expected.
>> Any ideas how I can decrease memory consumption (even for the price of
>> not being able to analyze the whole TCP session if it contains huge
>> amount of data)?
> Have you gone through the suggestions in the Wiki's OutOfMemory article?  It
> has some pointers to things that will limit the memory usage.
> https://wiki.wireshark.org/KnownBugs/OutOfMemory
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <[email protected]>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:[email protected]?subject=unsubscribe