Wireshark mailing list archives
Re: TCP conversation analysis can be expensive, and you can't disable it
From: Guy Harris <guy () alum mit edu>
Date: Mon, 25 Apr 2016 17:08:59 -0700
On Apr 25, 2016, at 4:59 PM, Guy Harris <guy () alum mit edu> wrote:
When I read the capture file mentioned in bug 12367 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12367 it eats about 6-8GB on my machine. A large amount of that data is in structures allocated by init_tcp_conversation_data(), which is called by get_tcp_conversation_data() if there isn't already one for the conversation. get_tcp_conversation_data() is *always* called by dissect_tcp(), so you can't disable that analysis. So if you're reading a large capture file with a lot of TCP connections, make sure you're on a 64-bit machine that has plenty of memory and that either has or can allocate plenty of swap space to back it if necessary.
(Note: the crash on OS X isn't a "I ran out of memory so I'm calling abort()" crash; *maybe* it's running out of memory on Windows, given the "the application requested" message from Windows, but, if so, there's a separate problem on OS X.) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- TCP conversation analysis can be expensive, and you can't disable it Guy Harris (Apr 25)
- Re: TCP conversation analysis can be expensive, and you can't disable it Guy Harris (Apr 25)
- Re: TCP conversation analysis can be expensive, and you can't disable it Michael Mann (Apr 27)