Wireshark · Wireshark-dev: Re: [Wireshark-dev] reduce tshark memory usage

Wireshark-dev: Re: [Wireshark-dev] reduce tshark memory usage

From: Pascal Quantin <pascal.quantin@xxxxxxxxx>

Date: Wed, 22 Nov 2017 18:42:40 +0100

Hi,

2017-11-22 17:32 GMT+01:00 杜伟强 <ishadowprince@xxxxxxxxxxx>:

Hello

I start up a tshark process and print some usefull message into my database.

But as times goes on ,the memory usage of tshark has been grown so big.

And I find here are some word to explain this phenomenology

https://wiki.wireshark.org/Reduce%20memory%20footprint

but I still don’t understand about that:

one packet and related information should be droped after analysis and print related information,isn’t it?

No, Wireshark also keeps in memory all what is needed to make the relationship between packets (request / response tracking, conversations, reassembly, ...).

And I’ve successful build wireshark soure code,what I want is just some protocol’s field information,so

Maybe there are some way to shut down tshark’s analysis feature

If you are only interested by the per packet decoding, I suggest you to have a look at this blog entry: https://blog.wireshark.org/2014/07/to-infinity-and-beyond-capturing-forever-with-tshark/

Best regards,

Pascal.

Follow-Ups:
- Re: [Wireshark-dev] reduce tshark memory usage
  - From: Guy Harris

References:
- [Wireshark-dev] reduce tshark memory usage
  - From: 杜伟强

Prev by Date: Re: [Wireshark-dev] Processing packet before exporting it.
Next by Date: Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap
Previous by thread: [Wireshark-dev] reduce tshark memory usage
Next by thread: Re: [Wireshark-dev] reduce tshark memory usage
Index(es):
- Date
- Thread