Wireshark mailing list archives

Re: Wireshark memory handling

From: didier <dgautheron () magic fr>
Date: Mon, 12 Oct 2009 07:00:21 +0200

Hin
Le vendredi 09 octobre 2009 à 10:43 -0400, Jeff Morriss a écrit :

Erlend Hamberg wrote:

Give it a try.  Here's what I just did (for fun :-)):

Starting condition: a whole bunch of RAM free (forget how much, probably 
around 2-2.5 Gb), no swap in use.

Start wireshark loading a 7.6 million packet capture file.
Linux appears to keep free RAM in the ~20-30 Mb range, but swap usage 
grows to 1.5 Gb.  Wireshark consumes 4120 Mb.

Scrolling around the packet list is actually not too slow now.  But 
doing even something simple (that does not involve going through the 
packet list) like Statistics->Summary takes 1-2 minutes.  (Normally the 
summary page is basically instantaneous.)  I didn't even try filtering.

Are Swap and the capture file on the same disk? Seeks storm. If you can,
try with the swap on a different disk. I don't use swap that much but I
made a quick test with a slow external drive. In vmstat Linux was able
to keep the wa columns under 20% most of the time for the SVN version,
not too bad and not much room for improvement, and it was really a slow
disk.


Using memory mapped files would probably help quite a bit with keeping 
the UI responsive because only Wireshark's, for example, packet data 
would be on disk but the executable pages and "core" memory like the 
statistics could be kept in RAM (or at least whatever the OS gives us).

If you have two disks yes. Otherwise at some point Wireshark will start
to swap and you get a seeks storm again.


One could imagine having different allocators (like ep_ and se_ today) 
that use malloc & friends (for "core" stuff) or go to the mmap'd pool 
(for packet data, etc.).

A better layout between write once and read/write data may help a lot
too. It will obfuscate the code though.

Didier


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Wireshark memory handling Håvar Aambø Fosstveit (Oct 05)
- Re: Wireshark memory handling Guy Harris (Oct 05)
  - Re: Wireshark memory handling Erlend Hamberg (Oct 08)
    - Re: Wireshark memory handling didier (Oct 08)
    - Re: Wireshark memory handling Erlend Hamberg (Oct 09)
    - Re: Wireshark memory handling Jeff Morriss (Oct 09)
    - Re: Wireshark memory handling Guy Harris (Oct 09)
    - Re: Wireshark memory handling didier (Oct 11)
    - Re: Wireshark memory handling didier (Oct 11)
    - Re: Wireshark memory handling Guy Harris (Oct 09)
    - Re: Wireshark memory handling Erlend Hamberg (Oct 13)
    - Re: Wireshark memory handling Jeff Morriss (Oct 14)
    - Re: Wireshark memory handling Guy Harris (Oct 14)
    - Re: Wireshark memory handling Anders Broman (Oct 14)
- Re: Wireshark memory handling didier (Oct 05)
- Re: Wireshark memory handling Jeff Morriss (Oct 05)
  - Re: Wireshark memory handling Guy Harris (Oct 05)
  - Re: Wireshark memory handling Erlend Hamberg (Oct 08)