Re: Memory question

[Guy Harris <guy () alum mit edu>]

On Mar 25, 2010, at 8:18 AM, János Löbb wrote:

> I thought that when I dedicate a file for the capture, the program  
> will not run out of memory, but rather from time to time writes the  
> captured data to this file.

dumpcap (the program that actually does the capturing) writes packets to the capture file as soon as they are captured; 
that's done through buffered I/O routines, so a small amount of packet data is buffered in memory so that larger writes 
can be done to the file, but that buffer is a fixed size (the size depends on the OS on which you're running).

> Looks to me that Wireshark wants to read all the content  
> into real memory

No, it doesn't; the raw capture data is kept in a file.  See the OutOfMemory page Bill Meier mentioned in his mail for 
where Wireshark/TShark use memory.  I suspect a significant amount of memory is used to do packet reassembly; if we can 
make random access to files, including compressed files, efficient, we might be able to store less of the reassembled 
data permanently.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe