rmkml wrote:
Im use tshark v0.99.4 on linux kernel2619 and libc232
and I have memory question,
when I start tshark (with -ta -ni eth0), I download iso (~700Mo) for
example, tshark alloc ~220Mo, but never freeing memory (same alloc after
ten minutes after download), why tshark not freeing memory ?
Because it doesn't know it won't need it any more.
The exact same code (the exact same *binary* code) is used for Wireshark
and TShark dissectors.
In Wireshark, various data structures maintained by dissectors are kept
around as long as a capture file is open, as they might be needed in
order to re-dissect particular packets. Even in TShark, a data
structure might be needed to dissect packets later in a capture.
(tcpdump, by default, also keeps some data structures around - a
per-TCP-connection data structure, so it can print relative sequence
numbers.)
The biggest consumer of memory is packet reassembly; for that, it could
conceivably release the memory once the reassembled data is fully
processed, but there's currently no way for the reassembly code to know
that the reassembled data won't be used in the future, as would be the
case in Wireshark. That might be added at some point. (If Wireshark
could be assured that fast random access to capture files is possible,
it could re-read the packet fragments if, after the first pass through
the packet data, a reassembled packet is needed.)