Re: Limiting amount of memory used to analyze TCP (HTTP) traffic. Questions about tcp dissector.

[Jeff Morriss <jeff.morriss.ws () gmail com>]

On Thu, Feb 25, 2016 at 4:53 PM, Vitaly Repin <vitaly.repin () gmail com>
wrote:

> Hello,
>
> I am trying to understand how the Wireshark TCP dissector utilizes memory.

That's a good place to start but there's a lot of other stuff in Wireshark
that will use a lot of memory as time goes by.

On the off chance you haven't read it (at least a dozen times :-)) already:
Wireshark's generally not the best tool for doing long-term analysis for
exactly this reason (memory usage).

At one point I was quite interested in adding some kind of memory profiling
into Wireshark so we could see exactly where the memory was used at any
given point in time (e.g., frame_data's are using 20 Mbytes, TCP
reassembly's using 100 Mbytes, etc.) but I never came up with something
good.

Then I have taken a look into  tcpd->acked_table.  According to the
> comment it "contains a tree containing all the various ta's keyed by
> frame number".
> I see that this list monothonically grows during the analysis. It is
> expected behavior?

Assuming that 1) your TCP segments are being ACK'd and 2) you have TCP
sequence analysis enabled (it is by default) then yes, it is expected.


> Any ideas how I can decrease memory consumption (even for the price of
> not being able to analyze the whole TCP session if it contains huge
> amount of data)?

Have you gone through the suggestions in the Wiki's OutOfMemory article?
It has some pointers to things that will limit the memory usage.

https://wiki.wireshark.org/KnownBugs/OutOfMemory

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe