Wireshark-dev: Re: [Wireshark-dev] PDML export on big capture files

From: "Edouard Funke" <korlaz@xxxxxxxxx>
Date: Fri, 29 Feb 2008 10:14:02 +0100
The exact command i am using is :
tshark -r my_big_capture_file -T pdml -V | myprogram

It is tshark who is running out of memory (monitored). Could the pipe
have something to do with it ?

On Thu, Feb 28, 2008 at 7:12 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
> Edouard Funke wrote:
>
>  > We are currently using wireshark PDML export functionnality (with
>  > custom plugins) to export big capture files to be processed after.
>  > We are constantly "hitting" the out of memory problem
>  > (http://wiki.wireshark.org/KnownBugs/OutOfMemory) as wireshark keeps
>  > information on packet list and for tcp reassembly among others
>  > things...
>
>  So are you saying that Wireshark is running out of memory trying to
>  *read* the capture, or are you saying that it can read the file but runs
>  out of memory trying to export the capture as PDML?
>
>  If the latter, that's a *different* out-of-memory problem, and one I, at
>  least, wasn't aware of.
>
>  If the former, at least one large consumer of memory is the memory for
>  all the columns in the list of packets, so...
>
>
>  > As we just want to export capture files in PDML, is there a way to
>  > deactivate (in code or with options) these information in order to
>  > process bigger captures ?
>
>  ...you might try just using TShark with "-T pdml" rather than Wireshark;
>  as TShark doesn't have a display of all the columns (it only prints one
>  column at a time, and only does that if run without "-V" or "-T"), it
>  won't consume memory for that.
>
>  It does consume memory for reassembly and other dissection-related
>  operations, just as Wireshark does, so using TShark might not be enough.
>   However, disabling *that* would cause packets to be dissected
>  differently, and the PDML you get from that might not be the PDML you
>  want (for example, it wouldn't dissect PDUs split across multiple
>  link-layer packets correctly).
>
>
>  > I dont know if i am asking the question in the right mailing list,
>  > maybe wireshark-users ?
>
>  wireshark-users was probably the right list on which to start asking
>  about this.
>
>  _______________________________________________
>  Wireshark-dev mailing list
>  Wireshark-dev@xxxxxxxxxxxxx
>  http://www.wireshark.org/mailman/listinfo/wireshark-dev
>