> If you running without the -R option, do you use "update list of packets
> in real time"? I guess not.
>
> This way, you simply write the packets to the disk, without any packet
> dissection.
>
> If you use the -R switch, Ethereal has to dissect all incoming packets
> and will keep a lot of information internally and this will also slow
> down capturing performance.
>
> Why not using a capture filter -f for this? This is the preferred way to
> do this kind of filtering, as the capture filter engine is much simpler
> but very fast and "no" memory consumption.
> Regards, ULFL
Sorry, I should have been a little bit more specific. I'm running
"tethereal" and log the "display filter"-ed packets into a file. They
have to be dissected as I'm filtering for an IP address deep within
the GTP tunnel. There is a constant stream of 20+ Mbps on the
interface, but only a very small amount of this is first matched by
the capture filter for GTP ports and then finally filtered futher by
the display filter.
I have done this before very easily under older versions, but with
0.10.13, there seems to be a new issue where it is eating memory and
in a few min there is a Gig used and the machine runs out of memory.
Ethereal crashes with message along the lines of "unable to allocate
XYZ block of memory".
Regards,
Sadin