This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Memory consumption keeps increasing as I dissect more than one pcap files

0

This might be a trivial question - My program is making use of libwireshark API, notably epan related calls to dissect pcap files. I notice that as I process one file and another, the memory consumption keeps increasing. I have code similar to the following:

for each pcap file {
    init_dissection();

for each packet {
    frame_data_init()
    epan_dissect_init()

    frame_data_set_before_dissect()
    epan_dissect_run()
    frame_data_set_after_dissect()

    epan_dissect_cleanup()
    frame_data_cleanup()
}

cleanup_dissection();



}

While I understand the two cleanup functions don’t free up all processed data related to the current packet as future packet dissection within the same file might make use of the data, these data, however, are completely useless when I move on to the next pcap file. I can’t seem to identify the function that would free these data up after I am done with a file, and I come to speculate that libwireshark is meant to process one file and exit, like tshark does - Am I right?

My current workaround is to restart my program for each pcap file to free up all used memory - ugly, however, as my program is supposed to run as a daemon… Wonder if there is a better approach..

Thanks,

asked 12 Apr ‘16, 15:18

linzhao115's gravatar image

linzhao115
6113
accept rate: 0%

edited 12 Apr ‘16, 20:38

One Answer:

0

I come to speculate that libwireshark is meant to process one file and exit, like tshark does - Am I right?

No. libwireshark is meant to be used by Wireshark, which lets you close files and open new files.

What you want is something such as

for each pcap file {
    epan_t *epan = epan_new();
    initialize the epan in question;
    for each packet {
        frame_data_init();
        epan_dissect_init();
        frame_data_set_before_dissect();
        epan_dissect_run();
        frame_data_set_after_dissect();
        epan_dissect_cleanup();
        frame_data_cleanup();
    }
    epan_free(epan);
}

epan_free() is important here.

answered 12 Apr '16, 18:20

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 12 Apr '16, 21:37

Thanks for the info! But at the moment I am stuck with wireshark-1.8.12, in which epan_new()/epan_free() API aren't available yet. And I looked at the source code, epan_new() is no much more than calling init_dissection(), accordingly, epan_free() calls cleanup_dissection(), and I have already made sure to call these functions for each new file (Updated the code snippet in the question). So huh...

(12 Apr '16, 20:33) linzhao115

Then you're also stuck with whatever memory leaks wireshark 1.8.12 has. init_dissection() and cleanup_dissection() are the routines that are supposed to free up all data for the current capture file; there's nothing more you can do.

(12 Apr '16, 21:43) Guy Harris ♦♦

Okay. Thanks!

(13 Apr '16, 10:57) linzhao115