tshark memory

[Abhijit Bare <abhibare () gmail com>]

Hi all,

I have a problem with tshark memory usage. I need to use tshark for a read
filter. However, it looks like tshark reads in the entire input file in
memory. Is this correct?

My traffic file is huge (at least 2.5 TB uncompressed). You can't really
read in such a file and, in my opinion, tshark doesn't have to, as applying
read filter can be done on each individual packet.

But every time I do this, tshark memory and virtual memory reported by top
become really large and output rate (using -w option) becomes very slow.

Do you expect this? Is there any way to avoid this?

Thank you,
Abhijit

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe