Wireshark mailing list archives
Limiting amount of memory used to analyze TCP (HTTP) traffic. Questions about tcp dissector.
From: Vitaly Repin <vitaly.repin () gmail com>
Date: Thu, 25 Feb 2016 23:53:36 +0200
Hello, I am trying to understand how the Wireshark TCP dissector utilizes memory. If I analyze huge HTTP session (e.g., download of ISO image over HTTP) it starts to eat a lot of memory. In our setup, wireshark is running for online analysis of the traffic which makes it important to control the amount of memory consumed. We need to get HTTP payload and tracking of the connection (request/response relations). My first idea was to limit the amount of fragments collected for PDU desegmentation. I added the following condition to tcp-packet.c (function desegment_tcp, before adding new fragment for desegmentation) just to test the behavior: if(msp->nxtpdu < 64*1024) { ipfd_head = fragment_add(&tcp_reassembly_table, tvb, offset, pinfo, msp->first_frame, NULL, seq - msp->seq, len, (LT_SEQ (nxtseq,msp->nxtpdu)) ); } else ipfd_head = NULL; I see that if the content size is more than 64K (nxtpdu is set with the help of HTTP dissector which analyzes HTTP Content-Length header) then no data is sent to the PDU defragmentation routine. Which means that tcp_reassembly_table.fragment_table is not growing and memory consumption is decreased. (works if the huge response was sent in the beginning of the session) But unfortunatelly memory consumption is still very significant. Then I have taken a look into tcpd->acked_table. According to the comment it "contains a tree containing all the various ta's keyed by frame number". I see that this list monothonically grows during the analysis. It is expected behavior? Any ideas how I can decrease memory consumption (even for the price of not being able to analyze the whole TCP session if it contains huge amount of data)? Thanks in advance! -- WBR & WBW, Vitaly ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Limiting amount of memory used to analyze TCP (HTTP) traffic. Questions about tcp dissector. Vitaly Repin (Feb 25)