Wireshark-dev: Re: [Wireshark-dev] Limiting amount of memory used to analyze TCP (HTTP) traffic
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Thu, 25 Feb 2016 17:58:32 -0500


On Thu, Feb 25, 2016 at 4:53 PM, Vitaly Repin <vitaly.repin@xxxxxxxxx> wrote:
Hello,

I am trying to understand how the Wireshark TCP dissector utilizes memory.

That's a good place to start but there's a lot of other stuff in Wireshark that will use a lot of memory as time goes by.

On the off chance you haven't read it (at least a dozen times :-)) already: Wireshark's generally not the best tool for doing long-term analysis for exactly this reason (memory usage).
 
At one point I was quite interested in adding some kind of memory profiling into Wireshark so we could see exactly where the memory was used at any given point in time (e.g., frame_data's are using 20 Mbytes, TCP reassembly's using 100 Mbytes, etc.) but I never came up with something good.

Then I have taken a look into  tcpd->acked_table.  According to the
comment it "contains a tree containing all the various ta's keyed by
frame number".
I see that this list monothonically grows during the analysis. It is
expected behavior?

Assuming that 1) your TCP segments are being ACK'd and 2) you have TCP sequence analysis enabled (it is by default) then yes, it is expected.
 
Any ideas how I can decrease memory consumption (even for the price of
not being able to analyze the whole TCP session if it contains huge
amount of data)?

Have you gone through the suggestions in the Wiki's OutOfMemory article?  It has some pointers to things that will limit the memory usage.

https://wiki.wireshark.org/KnownBugs/OutOfMemory