Edouard Funke wrote: > We are currently using wireshark PDML export functionnality (with > custom plugins) to export big capture files to be processed after. > We are constantly "hitting" the out of memory problem > (http://wiki.wireshark.org/KnownBugs/OutOfMemory) as wireshark keeps > information on packet list and for tcp reassembly among others > things...
So are you saying that Wireshark is running out of memory trying to *read* the capture, or are you saying that it can read the file but runs out of memory trying to export the capture as PDML? If the latter, that's a *different* out-of-memory problem, and one I, at least, wasn't aware of. If the former, at least one large consumer of memory is the memory for all the columns in the list of packets, so... > As we just want to export capture files in PDML, is there a way to > deactivate (in code or with options) these information in order to > process bigger captures ? ...you might try just using TShark with "-T pdml" rather than Wireshark; as TShark doesn't have a display of all the columns (it only prints one column at a time, and only does that if run without "-V" or "-T"), it won't consume memory for that. It does consume memory for reassembly and other dissection-related operations, just as Wireshark does, so using TShark might not be enough. However, disabling *that* would cause packets to be dissected differently, and the PDML you get from that might not be the PDML you want (for example, it wouldn't dissect PDUs split across multiple link-layer packets correctly). > I dont know if i am asking the question in the right mailing list, > maybe wireshark-users ? wireshark-users was probably the right list on which to start asking about this. _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
