This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi all, I'm using source code of wireshark-1.10.9 in order to modify some pieces of code in packet-data.c. I use functions to allocate memory like this:

  • At first, I use

"sccp_sonnh = wmem_alloc(wmem_packet_scope(), sizeof(guint8)*nSccp_length)"

but when I run tshark -r vnp.pcap, it shows the Segmentation Fault right after running. it can run in Windows but cannot run in Linux.

  • Then, I use

"sccp_sonnh = ep_alloc_array(guint8,nSccp_length);"

to allocate. It can run but I see the memory increasing very fast. Finally, I got the error:

GLib-ERROR **: gmem.c:170: failed to allocate 919295276 bytes aborting...

when the memory is at 95% and about 1837440 packets were read even I check log and see that every time, my program only allocates 140 or 90... bytes. As mentioned in README.malloc, "The ephemeral functions allocate memory that will be automatically freed once the current packet dissection completes" but in my case, it look like the memory is not freed. So, please help if you have an idea for this:

  1. With "tshark -r" , when 1837440 packets were read, does it mean these packets are freed?
  2. If No, how can I free these memory?
  3. Is this the bug out of memory of Wireshark or just my mistake of coding? (We are dissecting UDP)
  4. are there other ways to allocate memory and how can make sure that this memory is freed each time when the packet is dissected?

P/S: When I use static memory allocation, it run faster and memory increases slower but still get increasing and stop after running 10 minutes.

asked 24 Sep '14, 03:05

hoangsonk49's gravatar image

hoangsonk49
81282933
accept rate: 28%

edited 25 Sep '14, 19:59

Hi, I suspect it's something else eating the memory - what are you doing with the sccp_sonnh array? I doupt packet-data.c is the right place to put the modification as it might be called from many dissectors not only packet-udp.c

my program only allocates 140 or 90... bytes.

Are you sure about this? nSccp_length couldn't take an arbittary value?

Also in "normal" cases Wireshark/tshark will run out of memory eventually because of state keept between packets. Your milage depends on the protocols in the trace and available RAM or appliction memory allocation limits.

(26 Sep '14, 01:55) Anders ♦
  • I use sccp_sonnh array to store some values getting from tvb_tree (data.data). As mentioned in README.malloc, it will be freed automatically right after switching to other packet.
  • I'm pretty sure that " my program only allocates 140 or 90... bytes " . I print this value right before ep_alloc_array. Also, I check this value with the data getting from tvb_tree. It is matched.
  • From GUI of wireshark, I can see that the dissector stops at UDP protocol, it means no other dissector running after packet-data.c
  • The last protocol of this data is UDP with data.data and My server has 32 Gb RAM

For more information: - When I comment out these modification, it can run without any increment of memory.

(28 Sep '14, 20:10) hoangsonk49
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×23
×2

question asked: 24 Sep '14, 03:05

question was seen: 3,907 times

last updated: 28 Sep '14, 20:10

p​o​w​e​r​e​d by O​S​Q​A