Re: reduce tshark memory usage

[杜 伟强 <ishadowprince () outlook com>]

very good explanation   thank you somuch

发自网易邮箱大师

在2017年11月23日 04:26，Guy Harris<mailto:guy () alum mit edu> 写道：
On Nov 22, 2017, at 9:42 AM, Pascal Quantin <pascal.quantin () gmail com> wrote:

> No, Wireshark also keeps in memory all what is needed to make the relationship between packets (request / response 
> tracking, conversations, reassembly, ...).

And sometimes that information is needed to do packet dissection, so it's necessary even if all you want is "just some 
protocol’s field information".

For example, some request/response protocols (such as all ONC RPC-based protocols) have a request type value and a 
request ID in a request packet and, in the response, have only the request ID for the request to which this is a 
response, *not* the type value, so you need the type value from the request in order to dissect the response.

And to fully and correctly dissect packets, to get the field information from higher-level protocols in the packet, you 
may need to do reassembly.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe