Wireshark-dev: Re: [Wireshark-dev] Memory consumption in tshark

From: Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx>
Date: Tue, 27 Aug 2013 18:53:01 +0200
Hi,

>> From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Dario Lombardo
> 
>> I've run this command on a 10G pcap file.
> 
>> ./tshark -r traffic.all -Y "dns.qry.name.len > 50" -w longnames.pcap
> 
>> Used memory grows continuously, up to over 3GB of ram. At this point my pc goes thrashing and I must kill tshark.
>> That's not what I expected. I expected the memory to grow up to a certain size, then stop, feeding the output file.
>> Any idea about what happens? Any suggestion on how to debug it?

On Tue, Aug 27, 2013 at 02:40:07PM +0000, Anders Broman wrote:

> No it will not; as state and stuff accumulates memory grows until *shark runs out of memory your mileage on

Isn't it a bug? Do we need some special option for such case, or reusing
single pass tshark is good enough?
We should anyway do -2 pass default where we have a file (and not pipe).