Wireshark · Wireshark-dev: Re: [Wireshark-dev] reduce tshark memory usage

Wireshark-dev: Re: [Wireshark-dev] reduce tshark memory usage

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Wed, 22 Nov 2017 12:26:12 -0800

On Nov 22, 2017, at 9:42 AM, Pascal Quantin <pascal.quantin@xxxxxxxxx> wrote:

> No, Wireshark also keeps in memory all what is needed to make the relationship between packets (request / response tracking, conversations, reassembly, ...).

And sometimes that information is needed to do packet dissection, so it's necessary even if all you want is "just some protocol’s field information".

For example, some request/response protocols (such as all ONC RPC-based protocols) have a request type value and a request ID in a request packet and, in the response, have only the request ID for the request to which this is a response, *not* the type value, so you need the type value from the request in order to dissect the response.

And to fully and correctly dissect packets, to get the field information from higher-level protocols in the packet, you may need to do reassembly.

Follow-Ups:
- Re: [Wireshark-dev] reduce tshark memory usage
  - From: 杜伟强

References:
- [Wireshark-dev] reduce tshark memory usage
  - From: 杜伟强
- Re: [Wireshark-dev] reduce tshark memory usage
  - From: Pascal Quantin

Prev by Date: Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap
Next by Date: Re: [Wireshark-dev] Processing packet before exporting it.
Previous by thread: Re: [Wireshark-dev] reduce tshark memory usage
Next by thread: Re: [Wireshark-dev] reduce tshark memory usage
Index(es):
- Date
- Thread