On Fri, Oct 13, 2000 at 10:11:50AM -0400, Reimer, Fred wrote:
> [dist list trimmed]
>
> As you can probably tell, I didn't read all the source code before making
> some assumptions about what Ethereal kept in memory. I just thought that to
> have a process size of over 144MB when the packet trace was "only" 60MB it
> HAD to be
> keeping everything in memory.
You would think, huh? There probably is a problem, we just need to find it.
> (this may already be a feature or discussed on the list, so I may show more
> ignorance here ;-)
>
> 3. Ability to specify a filter on the command line to "trim down" a capture
> file into another capture file, without having to load the whole file in
> Ethereal just to specify the filter and save it as a new file before
> exiting.
That's our "-R" option.
>
> 4. Ability to specify a range of packets and save them to a new file,
> without loading the GUI.
That's our stand-alone editcap program.
> Question:
>
> If a major memory hog is the GTK+ list that displays the summary info, would
> the tethereal "terminal" version be >>significantly<< more able to handle
> large packet traces? I can test this myself, obviously, but if you have a
> quick answer (yes or no would suffice)...
Yes, but it's not an interactive program in the way that Sniffer for DOS is
interactive. It's like tcpdump -- it spits everything out to stdout. You can
save the full decode (tethereal -V) to a file and use vi or emacs as your
user interface. :)
--gilbert