This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to reduce memory usage in very long-time capture and analyze

0

I modify a version of tshark to analyze real-time packages on Gigabytes port, find out the info I concerned, and write them in files. When facing multi-days capture, the memory grows continuously. I shield the output printing, and write temporary pcapng files in multiple ring buffers to reduce the memory cost. However, memory grows at 20 to 30 MB per hour. How to reduce the memory cost further?

ps: I don't need most of the packets info for summary printing, only request and response pack info are concerned. So I think memory can be kept at a very low level. Any ideas to release the excess memory? Appreciated.

asked 03 Mar '14, 21:19

metamatrix's gravatar image

metamatrix
56161619
accept rate: 100%

Anyone have idears? @Guy @Kurt

(05 Mar '14, 00:56) metamatrix
  • what is your protocol?
  • how is a 'request' and a 'response' defined?
  • Did you use any capture filters? If so: which one?
  • what are your modifications to the tshark code so far?
(05 Mar '14, 10:44) Kurt Knochner ♦
1

To be honest, if it was easy to do it would have been done long ago. To allow all the fantastic things that Wireshark (and tshark) do, e.g. display filters, reassembly, stats, graphs etc. means maintaining state. If your long term capture requirements don't use all that infrastructure then use dumpcap and you're done. If, however you "need" that infrastructure, then you're stuck.

(05 Mar '14, 14:14) grahamb ♦

My protocol contains 802.11,radius,http(only portal packets are concerned) and bootp(dhcp). 'request' and response packet is mainly for http protocol. I didn't use any capture filter. My modifications are mostly on dissectors, eg. packet-ieee80211.c

(05 Mar '14, 23:17) metamatrix

If you read the stuff in this tread there are some ideas there https://www.wireshark.org/lists/wireshark-dev/201304/msg00143.html

looking into the cashing of IP addresses might yeld something as well. epan/address.[ch]

If you do something it would be better to do it with the comunity rather than doing private changes.

(06 Mar '14, 03:52) Anders ♦

One Answer:

0

If you need "request and response" packet info, by which I think you mean you need the information of which response packet matches which request packet, how would you avoid keeping a list of all previous packets? (that should be what is growing the memory if I recall correctly, by the way)

I mean as far as tshark knows, packet #100000000 could be a response to packet #3.

answered 04 Mar '14, 04:52

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

If don't need most packets info(including request and response info), how to free up the memory after dissecting?

(04 Mar '14, 23:40) metamatrix

I think you'd have to download the source and compile it yourself, making the necessary code changes. But if you don't need that kind of info, you may prefer to use a different tool, like dumpcap.

(05 Mar '14, 03:33) Hadriel