Wireshark-users: Re: [Wireshark-users] tshark memory
From: Abhijit Bare <abhibare@xxxxxxxxx>
Date: Tue, 19 Jan 2010 13:57:01 -0700
Thanks for quick response.

Something is slowing down tshark's output. I am piping the output to gzip. Tshark produced first 1G in first 10 minutes and next 1G in next 2 hours. It will take me about 5 days at this rate.

I have seen this happening before with tshark. Comparatively, our in-house pcap tools (based on libpcap) can finish read and write in few hours.

After 2 hours, my tshark process is using 3.6G RESIDENT memory and ~ 500G VIRT memory in top output. gzip (output consumer) was initially using 10% CPU, now it is down to 0 or 1% indicating that tshark is sending hardly anything to it.

Not sure what's keeping tshark from doing it faster. Is it my filter?

Thanks again,
Abhijit

PS: This is how I run it:

tshark -r big_file.raw.gz -R "! sip.CSeq contains REGISTER" -w - | gzip > reg_removed.raw.gz &





On Tue, Jan 19, 2010 at 1:35 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Jan 19, 2010, at 12:26 PM, Abhijit Bare wrote:

> I have a problem with tshark memory usage. I need to use tshark for a read filter. However, it looks like tshark reads in the entire input file in memory. Is this correct?

No, it is not.  Neither Wireshark nor TShark read the entire input file into memory.

When it reassembles fragmented/segmented/etc. packets, however, the content of the reassembled packets *is* kept in memory.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe