Wireshark mailing list archives
Re: reduce tshark memory usage
From: Guy Harris <guy () alum mit edu>
Date: Wed, 22 Nov 2017 12:26:12 -0800
On Nov 22, 2017, at 9:42 AM, Pascal Quantin <pascal.quantin () gmail com> wrote:
No, Wireshark also keeps in memory all what is needed to make the relationship between packets (request / response tracking, conversations, reassembly, ...).
And sometimes that information is needed to do packet dissection, so it's necessary even if all you want is "just some protocol’s field information". For example, some request/response protocols (such as all ONC RPC-based protocols) have a request type value and a request ID in a request packet and, in the response, have only the request ID for the request to which this is a response, *not* the type value, so you need the type value from the request in order to dissect the response. And to fully and correctly dissect packets, to get the field information from higher-level protocols in the packet, you may need to do reassembly. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- reduce tshark memory usage 杜 伟强 (Nov 22)
- Re: reduce tshark memory usage Pascal Quantin (Nov 22)
- Re: reduce tshark memory usage Guy Harris (Nov 22)
- Re: reduce tshark memory usage 杜 伟强 (Nov 22)
- Re: reduce tshark memory usage Guy Harris (Nov 22)
- Re: reduce tshark memory usage Pascal Quantin (Nov 22)