Wireshark · Wireshark-dev: [Wireshark-dev] TCP conversation analysis can be expensive, and you can't disable it

Wireshark-dev: [Wireshark-dev] TCP conversation analysis can be expensive, and you can't disabl

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Mon, 25 Apr 2016 16:59:53 -0700

When I read the capture file mentioned in bug 12367

	https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12367

it eats about 6-8GB on my machine.

A large amount of that data is in structures allocated by init_tcp_conversation_data(), which is called by get_tcp_conversation_data() if there isn't already one for the conversation.

get_tcp_conversation_data() is *always* called by dissect_tcp(), so you can't disable that analysis.

So if you're reading a large capture file with a lot of TCP connections, make sure you're on a 64-bit machine that has plenty of memory and that either has or can allocate plenty of swap space to back it if necessary.

Follow-Ups:
- Re: [Wireshark-dev] TCP conversation analysis can be expensive, and you can't disable it
  - From: Guy Harris
- Re: [Wireshark-dev] TCP conversation analysis can be expensive, and you can't disable it
  - From: Michael Mann

Prev by Date: Re: [Wireshark-dev] Debian builds in wireshark
Next by Date: Re: [Wireshark-dev] TCP conversation analysis can be expensive, and you can't disable it
Previous by thread: Re: [Wireshark-dev] Debian builds in wireshark
Next by thread: Re: [Wireshark-dev] TCP conversation analysis can be expensive, and you can't disable it
Index(es):
- Date
- Thread