Wireshark mailing list archives
Re: Limiting amount of memory used to analyze TCP (HTTP) traffic. Questions about tcp dissector.
From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Thu, 25 Feb 2016 17:58:32 -0500
On Thu, Feb 25, 2016 at 4:53 PM, Vitaly Repin <vitaly.repin () gmail com> wrote:
Hello, I am trying to understand how the Wireshark TCP dissector utilizes memory.
That's a good place to start but there's a lot of other stuff in Wireshark that will use a lot of memory as time goes by. On the off chance you haven't read it (at least a dozen times :-)) already: Wireshark's generally not the best tool for doing long-term analysis for exactly this reason (memory usage). At one point I was quite interested in adding some kind of memory profiling into Wireshark so we could see exactly where the memory was used at any given point in time (e.g., frame_data's are using 20 Mbytes, TCP reassembly's using 100 Mbytes, etc.) but I never came up with something good. Then I have taken a look into tcpd->acked_table. According to the
comment it "contains a tree containing all the various ta's keyed by frame number". I see that this list monothonically grows during the analysis. It is expected behavior?
Assuming that 1) your TCP segments are being ACK'd and 2) you have TCP sequence analysis enabled (it is by default) then yes, it is expected.
Any ideas how I can decrease memory consumption (even for the price of not being able to analyze the whole TCP session if it contains huge amount of data)?
Have you gone through the suggestions in the Wiki's OutOfMemory article? It has some pointers to things that will limit the memory usage. https://wiki.wireshark.org/KnownBugs/OutOfMemory
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Limiting amount of memory used to analyze TCP (HTTP) traffic. Questions about tcp dissector. Vitaly Repin (Feb 25)
- Re: Limiting amount of memory used to analyze TCP (HTTP) traffic. Questions about tcp dissector. Jeff Morriss (Feb 25)