Re: TCP conversation analysis can be expensive, and you can't disable it

[Michael Mann <mmann78 () netscape net>]

See
https://code.wireshark.org/review/15138/
https://code.wireshark.org/review/15139
 
They at least put a dent in it.
 
 
-----Original Message-----
From: Guy Harris <guy () alum mit edu>
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Sent: Mon, Apr 25, 2016 8:00 pm
Subject: [Wireshark-dev] TCP conversation analysis can be expensive, and you can't disable it

When I read the capture file mentioned in bug 12367

        https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12367

it eats about 6-8GB on my machine.

A large amount of that data is in structures allocated by init_tcp_conversation_data(), which is called by 
get_tcp_conversation_data() if there isn't already one for the conversation.

get_tcp_conversation_data() is *always* called by dissect_tcp(), so you can't disable that analysis.

So if you're reading a large capture file with a lot of TCP connections, make sure you're on a 64-bit machine that has 
plenty of memory and that either has or can allocate plenty of swap space to back it if necessary.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe