Wireshark-users: Re: [Wireshark-users] TShark Unhandled exception (group=1, code=6)

From: Sake Blok <sake@xxxxxxxxxx>
Date: Sat, 16 May 2009 08:54:59 +0200
On Thu, May 14, 2009 at 08:52:46PM -0700, roko wrote:
> 
> http://wiki.wireshark.org/KnownBugs/OutOfMemory
> 
> But, in the page says:
> 
> While capturing: If you're not doing an "Update list of packets in real
> time" capture, it shouldn't consume memory as it captures - although it
> *will* consume memory when you stop the capture and it reads it in, so
> that ultimately won't help.
> 
> Well.. that will work form me!.

Not quite, this option will make wireshark capture only, so no
dissection of the packets will be done...

> Now, some questions.  
> Is this the same that the -T option ?

No...

> If is not, How do I set this option to TShark?

... you can't set this option for Tshark, but you could use dumpcap to
achieve the same, which is to capture only. But for your setup, you do
need the tshark output.

> I need the pattern decoded in text, so I can regex it. Can I somehow,
> get TShark to just "pop" the the text from the packets without any
> memory consumption for whatsoever future correlation that I don't need ?

No, tshark is a "statefull" protocol analyser, it does need to keep
track of the state of traffic flows to be able to dissect them.
Otherwise it would not be able to give you re-assembled PDU's for
instance.

What are the fields that you need? You might be able to use tcpdump for
your purpose...

Cheers, 
    Sake