Re: Memory consumption in tshark

[Evan Huus <eapache () gmail com>]

We already discard a great deal of state in (single-pass) tshark that we
keep around in Wireshark (or two-pass tshark). We do need to keep some,
though. It's only a bug if we're keeping more than we actually need, and
that's not determinable from the information we have here. Dario, if you
could get us a memory profile of tshark in this situation (through
valgrind's massif tool, for example) that would help us debug further.

I dislike the idea of two-pass by default for exactly this reason: people
expect tshark to be relatively state-less. This is already not the case,
but it's a lot worse in two-pass mode. It might even make sense to add a
--state-less flag to tshark that disables all options which require state.
I don't know how feasible that would be however.

Evan


On Tue, Aug 27, 2013 at 4:26 PM, Joerg Mayer <jmayer () loplof de> wrote:

> On Tue, Aug 27, 2013 at 06:53:01PM +0200, Jakub Zawadzki wrote:
> > > > ./tshark -r traffic.all -Y "dns.qry.name.len > 50" -w longnames.pcap
> > >
> > > > Used memory grows continuously, up to over 3GB of ram. At this point
> my pc goes thrashing and I must kill tshark.
> > > > That's not what I expected. I expected the memory to grow up to a
> certain size, then stop, feeding the output file.
> > > > Any idea about what happens? Any suggestion on how to debug it?
> >
> > On Tue, Aug 27, 2013 at 02:40:07PM +0000, Anders Broman wrote:
> >
> > > No it will not; as state and stuff accumulates memory grows until
> *shark runs out of memory your mileage on
> > Isn't it a bug? Do we need some special option for such case, or reusing
> > single pass tshark is good enough?
> > We should anyway do -2 pass default where we have a file (and not pipe).
>
> IMO it's a bug. While we need to keep a lot of state for Wireshark, we
> don't need
> (most of) it for tshark.
>
>  Ciao
>       Jörg
>
> --
> Joerg Mayer                                           <jmayer () loplof de>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe