Re: Memory consumption in tshark

[Joerg Mayer <jmayer () loplof de>]

On Tue, Aug 27, 2013 at 05:09:19PM -0400, Evan Huus wrote:
> > IIRC, two-pass allows for most/all of the reassembly/request-response
> > stuff,
> > which we want to do sometimes. Any ideas why we have to keep some
> > information
> > indefinitely?
>
> Two-pass requires us to keep *all* the state around through the first pass
> so that it is available during the second pass (at which point it can be
> discarded).  Even in single-pass mode, there is some state that we can't
> always immediately discard. If I see a fragment of a TCP message then it
> doesn't make sense to discard that until the other fragments have arrived
> and been reassembled. If I see a request, I probably need to keep state
> from that request until the response (which may never show up).
>
> We already do reassembly and a lot of other stateful work in single-pass
> mode. The only thing two-pass mode provides is the ability to "see the
> future" (for example, saying: this request has a response 5 packets later).

So (assuming we really free everything we could already) could add a
possibly configurable foresight horizon of 10000 packets. If a packet
number is older than 10000 packets, forget it?

Ciao
        Jörg

-- 
Joerg Mayer                                           <jmayer () loplof de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe