Wireshark · Wireshark-dev: Re: [Wireshark-dev] Why does it take so long to parse certain captures?

Wireshark-dev: Re: [Wireshark-dev] Why does it take so long to parse certain captures?

From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>

Date: Fri, 6 May 2022 09:30:07 -0700

On Fri, May 6, 2022 at 1:01 AM Martin Mathieson via Wireshark-dev
<wireshark-dev@xxxxxxxxxxxxx> wrote:
>
> On linux,   I've had good profiling information in the past from using ./tools/valgrind-wireshark.sh -p -2 <pcap>
> You view the resulting *.callgrind file using kcachegrind

Ahhh, that is good to know.

> Martin
>
> On Fri, May 6, 2022 at 6:42 AM Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:
>>
>> Without having looked at the SMB dissector, there could be a lot of housekeeping going on in the background, w.r.t. keeping track of chunks, searches for file handles to names, etc.Things add up quickly with large files like this.
>>
>> Jaap
>>
>> > On 6 May 2022, at 00:42, Richard Sharpe <realrichardsharpe@xxxxxxxxx> wrote:
>> >
>> > Hi folks,
>> >
>> > I am often handling SMB2 captures with lots of compound requests.
>> >
>> > I am looking at one at the moment that has about 300,000 packets in
>> > it, about half of which are SMB2 requests but they are mostly compound
>> > requests with three SMB2 requests in each compound:
>> >
>> > 1. CREATE some file,
>> > 2. QueryInfo the Security Descriptor for the file,
>> > 3. CLOSE the file.
>> >
>> > This takes an extraordinary amount of time to load even though I have
>> > 64GB on that machine. (Around 10 minutes or more.)
>> >
>> > Moreover, other captures with a comparable number of packets but no,
>> > or fewer, SMB compound requests take far less time to load.
>> >
>> > Does anyone have any ideas on why this is so?
>> >
>> > --
>> > Regards,
>> > Richard Sharpe
>> > (何以解憂？唯有杜康。--曹操)(传说杜康是酒的发明者)
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
>> Archives:    https://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe



-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)(传说杜康是酒的发明者)

Follow-Ups:
- Re: [Wireshark-dev] Why does it take so long to parse certain captures?
  - From: Gerald Combs

References:
- [Wireshark-dev] Why does it take so long to parse certain captures?
  - From: Richard Sharpe
- Re: [Wireshark-dev] Why does it take so long to parse certain captures?
  - From: Jaap Keuter
- Re: [Wireshark-dev] Why does it take so long to parse certain captures?
  - From: Martin Mathieson

Prev by Date: Re: [Wireshark-dev] Why does it take so long to parse certain captures?
Next by Date: Re: [Wireshark-dev] Why does it take so long to parse certain captures?
Previous by thread: Re: [Wireshark-dev] Why does it take so long to parse certain captures?
Next by thread: Re: [Wireshark-dev] Why does it take so long to parse certain captures?
Index(es):
- Date
- Thread