Another article worth reading is https://blog.wireshark.org/2014/07/to-infinity-and-beyond-capturing-forever-with-tshark/
It doesn't solve your problem, but it contains some good information on surrounding issues. Evan On Thu, Feb 25, 2016 at 5:58 PM, Jeff Morriss <[email protected]> wrote: > > > On Thu, Feb 25, 2016 at 4:53 PM, Vitaly Repin <[email protected]> > wrote: >> >> Hello, >> >> I am trying to understand how the Wireshark TCP dissector utilizes memory. > > > That's a good place to start but there's a lot of other stuff in Wireshark > that will use a lot of memory as time goes by. > > On the off chance you haven't read it (at least a dozen times :-)) already: > Wireshark's generally not the best tool for doing long-term analysis for > exactly this reason (memory usage). > > At one point I was quite interested in adding some kind of memory profiling > into Wireshark so we could see exactly where the memory was used at any > given point in time (e.g., frame_data's are using 20 Mbytes, TCP > reassembly's using 100 Mbytes, etc.) but I never came up with something > good. > >> Then I have taken a look into tcpd->acked_table. According to the >> comment it "contains a tree containing all the various ta's keyed by >> frame number". >> I see that this list monothonically grows during the analysis. It is >> expected behavior? > > > Assuming that 1) your TCP segments are being ACK'd and 2) you have TCP > sequence analysis enabled (it is by default) then yes, it is expected. > >> >> Any ideas how I can decrease memory consumption (even for the price of >> not being able to analyze the whole TCP session if it contains huge >> amount of data)? > > > Have you gone through the suggestions in the Wiki's OutOfMemory article? It > has some pointers to things that will limit the memory usage. > > https://wiki.wireshark.org/KnownBugs/OutOfMemory > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
