Wireshark mailing list archives

Re: tshark memory

From: Abhijit Bare <abhibare () gmail com>
Date: Tue, 19 Jan 2010 13:57:01 -0700

Thanks for quick response.

Something is slowing down tshark's output. I am piping the output to gzip.
Tshark produced first 1G in first 10 minutes and next 1G in next 2 hours. It
will take me about 5 days at this rate.

I have seen this happening before with tshark. Comparatively, our in-house
pcap tools (based on libpcap) can finish read and write in few hours.

After 2 hours, my tshark process is using 3.6G RESIDENT memory and ~ 500G
VIRT memory in top output. gzip (output consumer) was initially using 10%
CPU, now it is down to 0 or 1% indicating that tshark is sending hardly
anything to it.

Not sure what's keeping tshark from doing it faster. Is it my filter?

Thanks again,
Abhijit

PS: This is how I run it:

tshark -r big_file.raw.gz -R "! sip.CSeq contains REGISTER" -w - | gzip >
reg_removed.raw.gz &





On Tue, Jan 19, 2010 at 1:35 PM, Guy Harris <guy () alum mit edu> wrote:


On Jan 19, 2010, at 12:26 PM, Abhijit Bare wrote:

I have a problem with tshark memory usage. I need to use tshark for a

read filter. However, it looks like tshark reads in the entire input file in
memory. Is this correct?

No, it is not.  Neither Wireshark nor TShark read the entire input file
into memory.

When it reassembles fragmented/segmented/etc. packets, however, the content
of the reassembled packets *is* kept in memory.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

tshark memory Abhijit Bare (Jan 19)
- Re: tshark memory Guy Harris (Jan 19)
  - Re: tshark memory Abhijit Bare (Jan 19)
    - Re: tshark memory Guy Harris (Jan 19)
    - Re: tshark memory Anders Broman (Jan 19)
    - Re: tshark memory Abhijit Bare (Jan 19)
    - Re: tshark memory Anders Broman (Jan 19)