Ethereal-users: Re: [Ethereal-users] tethereal eats my memory

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Tue, 16 Aug 2005 10:33:23 -0700
Stefan Sabolowitsch wrote:
I have here a Firewall with three NIC. There i started tethereal as follows. 

./tethereal -i any -R ip.addr == 192.168.100.100 or ip.addr == 217.6.34.4 -a
filesize:50000 -b 100 -w /var/log/trace.pcap
Tethereal is eating memory because you used the "-R" flag; display filters require that packets be fully dissected, and the dissection process creates state information, reassembled packets, etc. which consume memory.
If you want to capture only traffic to or from 192.168.100.100 or to or from 217.6.34.4, you can do that with a capture filter. If you're not printing the packets, and you're not using a "read filter" when capturing, Tethereal won't dissect the packets; that means it'll consume not only less memory, but less CPU time. 

Try
tethereal -i any -a filesize:50000 -b 100 -w /var/log/trace.pcap host 192.168.100.100 or 217.6.34.4 

and see whether that runs longer.