Wireshark-dev: Re: [Wireshark-dev] size of wireshark installation files

From: "Jean-Grégoire Foulon" <jg.foulon.dev@xxxxxxxxxxxxxx>
Date: Tue, 10 Jul 2007 10:14:27 +0100
On 7/9/07, Guy Harris <guy@xxxxxxxxxxxx> wrote:
Cruz, Petagay wrote:
> hi, how can I reduce the size of the wireshark library produced in 'make
> install'?  I built without plugins.   what is using all the space?

Well, for starters, all the dissectors - plugins *aren't* part of the
library, they're loaded at run time, but almost all the disssectors in
Wireshark are built in, so they're part of the library.

There's currently no easy way to select a subset of dissectors to include.

The rest of it is the Wireshark "core" to support dissection, taps,
etc.; that can't be removed.


Hi,
 I just finished to write a patch for Tshark to disable a lot of dissectors and make it smaller. It is on the wiki : http://wiki.wireshark.org/BuildingAndInstalling
 The choice of the removed dissectors is arbitrary, it suits my own use ans only works for Tshark, but it can be a good start if you want to get a smaller version of Wireshark.

Here is an extract of the readme, correct me if I did any mistakes

HOW TO REMOVE DISSECTORS
------------------------

First, modify some files so the unwanted dissectors won't be compiled anymore:
Makefile.in
epan/Makefile.in
epan/dissectors/Makefile.in


You must choose the unwanted dissectors so that they were no dependencies problems. The dissectors you leave must not depend on the dissector you remove.
In some cases, you will have to modify the source files to get rid of dependencies. For example, the telnet dissector depends on kerberos, it was patched so we could remove the kerberos dissector and keep the telnet one.

tshark-tap-register.c and epan/dissectors/register.c are generated by Makefiles by parsing source files and adding specific functions they find in those files. They must be deleted to be regenerated with the correct list of functions. Before calling 'make' to build them, you have to remove the unused sourcefiles from their original directory otherwise tshark-tap-register.c and epan/dissectors/register.c will still have references to functions which won't be compiled.

Once everything compiles, try to run Tshark.
If you are lucky it will just work out of the box, but it's more likely Tshark will print "Aborted" and exit. It is an assert message which is printed when a dissector can't be added dynamically with the function dissector_add().
It means you have to patch some dissectors to remove dynamic dependencies.
All the dissector_add() calls that create problems must be commented. Be careful not to remove important ones.
To know in which file the problem lays, use gdb and its backtrace command:
gdb tshark
>run
>backtrace
>q
It Will give you the file and the line that cause the assert to fail.

Once you removed all the calls that make asserts fail, Tshark should run properly.



Regards,
Jean-Gregoire