Wireshark-users: [Wireshark-users] tshark memory

From: Abhijit Bare <abhibare@xxxxxxxxx>
Date: Tue, 19 Jan 2010 13:26:31 -0700
Hi all,

I have a problem with tshark memory usage. I need to use tshark for a read filter. However, it looks like tshark reads in the entire input file in memory. Is this correct?

My traffic file is huge (at least 2.5 TB uncompressed). You can't really read in such a file and, in my opinion, tshark doesn't have to, as applying read filter can be done on each individual packet.

But every time I do this, tshark memory and virtual memory reported by top become really large and output rate (using -w option) becomes very slow.

Do you expect this? Is there any way to avoid this?

Thank you,
Abhijit