We already discard a great deal of state in (single-pass) tshark that we keep around in Wireshark (or two-pass tshark). We do need to keep some, though. It's only a bug if we're keeping more than we actually need, and that's not determinable from the information we have here. Dario, if you could get us a memory profile of tshark in this situation (through valgrind's massif tool, for example) that would help us debug further.
I dislike the idea of two-pass by default for exactly this reason: people expect tshark to be relatively state-less. This is already not the case, but it's a lot worse in two-pass mode. It might even make sense to add a --state-less flag to tshark that disables all options which require state. I don't know how feasible that would be however. Evan On Tue, Aug 27, 2013 at 4:26 PM, Joerg Mayer <[email protected]> wrote: > On Tue, Aug 27, 2013 at 06:53:01PM +0200, Jakub Zawadzki wrote: > > >> ./tshark -r traffic.all -Y "dns.qry.name.len > 50" -w longnames.pcap > > > > > >> Used memory grows continuously, up to over 3GB of ram. At this point > my pc goes thrashing and I must kill tshark. > > >> That's not what I expected. I expected the memory to grow up to a > certain size, then stop, feeding the output file. > > >> Any idea about what happens? Any suggestion on how to debug it? > > > > On Tue, Aug 27, 2013 at 02:40:07PM +0000, Anders Broman wrote: > > > > > No it will not; as state and stuff accumulates memory grows until > *shark runs out of memory your mileage on > > > > Isn't it a bug? Do we need some special option for such case, or reusing > > single pass tshark is good enough? > > We should anyway do -2 pass default where we have a file (and not pipe). > > IMO it's a bug. While we need to keep a lot of state for Wireshark, we > don't need > (most of) it for tshark. > > Ciao > Jörg > > -- > Joerg Mayer <[email protected]> > We are stuck with technology when what we really want is just stuff that > works. Some say that should read Microsoft instead of technology. > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected] > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
