Hi,
>. I expected the memory to grow up to a certain size, then stop, feeding the output file.
No it will not; as state and stuff accumulates memory grows until *shark runs out of memory your mileage on
A trace file depends on the protocols(protocol dissectors) involved.
You can use editcap to split the file up in more suitable slices of say 1 G
Regards
Anders
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx]
On Behalf Of Dario Lombardo
Sent: den 27 augusti 2013 10:09
To: Developer support list for Wireshark
Subject: [Wireshark-dev] Memory consumption in tshark
Hi list
I've run this command on a 10G pcap file.
./tshark -r traffic.all -Y "dns.qry.name.len > 50" -w longnames.pcap
Used memory grows continuously, up to over 3GB of ram. At this point my pc goes thrashing and I must kill tshark.
That's not what I expected. I expected the memory to grow up to a certain size, then stop, feeding the output file.
Any idea about what happens? Any suggestion on how to debug it?