Wireshark-dev: Re: [Wireshark-dev] Limiting amount of memory used to analyze TCP (HTTP) traffic
From: Evan Huus <[email protected]>
Date: Thu, 25 Feb 2016 18:14:39 -0500
Another article worth reading is
https://blog.wireshark.org/2014/07/to-infinity-and-beyond-capturing-forever-with-tshark/

It doesn't solve your problem, but it contains some good information
on surrounding issues.

Evan

On Thu, Feb 25, 2016 at 5:58 PM, Jeff Morriss <[email protected]> wrote:
>
>
> On Thu, Feb 25, 2016 at 4:53 PM, Vitaly Repin <[email protected]>
> wrote:
>>
>> Hello,
>>
>> I am trying to understand how the Wireshark TCP dissector utilizes memory.
>
>
> That's a good place to start but there's a lot of other stuff in Wireshark
> that will use a lot of memory as time goes by.
>
> On the off chance you haven't read it (at least a dozen times :-)) already:
> Wireshark's generally not the best tool for doing long-term analysis for
> exactly this reason (memory usage).
>
> At one point I was quite interested in adding some kind of memory profiling
> into Wireshark so we could see exactly where the memory was used at any
> given point in time (e.g., frame_data's are using 20 Mbytes, TCP
> reassembly's using 100 Mbytes, etc.) but I never came up with something
> good.
>
>> Then I have taken a look into  tcpd->acked_table.  According to the
>> comment it "contains a tree containing all the various ta's keyed by
>> frame number".
>> I see that this list monothonically grows during the analysis. It is
>> expected behavior?
>
>
> Assuming that 1) your TCP segments are being ACK'd and 2) you have TCP
> sequence analysis enabled (it is by default) then yes, it is expected.
>
>>
>> Any ideas how I can decrease memory consumption (even for the price of
>> not being able to analyze the whole TCP session if it contains huge
>> amount of data)?
>
>
> Have you gone through the suggestions in the Wiki's OutOfMemory article?  It
> has some pointers to things that will limit the memory usage.
>
> https://wiki.wireshark.org/KnownBugs/OutOfMemory
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <[email protected]>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:[email protected]?subject=unsubscribe