Wireshark-dev: Re: [Wireshark-dev] Tshark0994 memory question

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 13 Jan 2007 17:19:01 -0800
rmkml wrote:

but tcp session is closed properly (wget download quit properly)
maybe add parameter for freeing memory after tcp fin/reset ?

That could perhaps be done for tcpdump and TShark (although it doesn't help the case where connections aren't closed properly; tcpdump, when run without -S, is vulnerable to SYN flood), but can't be done for Wireshark (as you might later click on a packet that's part of the connection).

That's also probably not the biggest problem.

and maybe add memory parameter alloc limit ? (icmp/udp/ipproto and others)

We could, but, at least for me, if the default for that parameter weren't "infinity", I'd change it to infinity in my configuration.

The biggest problem is probably reassembly. In your case, if you were doing a *single* wget, note that the *entire* contents of the file being downloaded will be reassembled. A limit on the amount of data that can be reassembled - with the reassembly code ideally just discarding the code and making the tvbuff with the reassembled data short (i.e., its reported length would be the total amount of data to be reassembled, and its data length would be the amount of data it kept), so that the HTTP dissector doesn't restart dissecting in the middle of the file being downloaded - would probably handle that.

You can, of course, just run with "-o tcp.desegment_tcp_streams:false" to disable TCP reassembly entirely....