rmkml wrote:
but tcp session is closed properly (wget download quit properly)
maybe add parameter for freeing memory after tcp fin/reset ?
That could perhaps be done for tcpdump and TShark (although it doesn't
help the case where connections aren't closed properly; tcpdump, when
run without -S, is vulnerable to SYN flood), but can't be done for
Wireshark (as you might later click on a packet that's part of the
connection).
That's also probably not the biggest problem.
and maybe add memory parameter alloc limit ? (icmp/udp/ipproto and others)
We could, but, at least for me, if the default for that parameter
weren't "infinity", I'd change it to infinity in my configuration.
The biggest problem is probably reassembly. In your case, if you were
doing a *single* wget, note that the *entire* contents of the file being
downloaded will be reassembled. A limit on the amount of data that can
be reassembled - with the reassembly code ideally just discarding the
code and making the tvbuff with the reassembled data short (i.e., its
reported length would be the total amount of data to be reassembled, and
its data length would be the amount of data it kept), so that the HTTP
dissector doesn't restart dissecting in the middle of the file being
downloaded - would probably handle that.
You can, of course, just run with "-o tcp.desegment_tcp_streams:false"
to disable TCP reassembly entirely....