Running tshark on large pcap files

[Rayne <hjazz6 () ymail com>]

Hi all,

I'm running tshark on a few large pcap files (each over 100GB in size) to extract packets belonging to a particular 
TCP/UDP port and write them to a file.

I noticed that when tshark first starts, it uses about 90-100% of the CPU, and the processing is pretty fast. However, 
as it continues, it uses more and more of the memory (the server has ~8GB of RAM) and eventually, the CPU load is down 
to 1% or less when it's using almost all of the memory. And it takes days to process one pcap file. I had to stop the 
processing because it was taking too long.

Does this behavior have anything to do with how tshark works on pcap files? Does tshark try to load the pcap into 
memory, and when memory runs out, it slows to a crawl? Is there any way I can make tshark run faster?

Thank you.

Regards,
Rayne

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe