Wireshark-dev: Re: [Wireshark-dev] PDML export on big capture files
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 28 Feb 2008 10:12:19 -0800
Edouard Funke wrote:

We are currently using wireshark PDML export functionnality (with
custom plugins) to export big capture files to be processed after.
We are constantly "hitting" the out of memory problem
(http://wiki.wireshark.org/KnownBugs/OutOfMemory) as wireshark keeps
information on packet list and for tcp reassembly among others
things...

So are you saying that Wireshark is running out of memory trying to *read* the capture, or are you saying that it can read the file but runs out of memory trying to export the capture as PDML?

If the latter, that's a *different* out-of-memory problem, and one I, at least, wasn't aware of.

If the former, at least one large consumer of memory is the memory for all the columns in the list of packets, so...

As we just want to export capture files in PDML, is there a way to
deactivate (in code or with options) these information in order to
process bigger captures ?

...you might try just using TShark with "-T pdml" rather than Wireshark; as TShark doesn't have a display of all the columns (it only prints one column at a time, and only does that if run without "-V" or "-T"), it won't consume memory for that.

It does consume memory for reassembly and other dissection-related operations, just as Wireshark does, so using TShark might not be enough. However, disabling *that* would cause packets to be dissected differently, and the PDML you get from that might not be the PDML you want (for example, it wouldn't dissect PDUs split across multiple link-layer packets correctly).

I dont know if i am asking the question in the right mailing list,
maybe wireshark-users ?

wireshark-users was probably the right list on which to start asking about this.