Wireshark-users: Re: [Wireshark-users] how to handle big files in wireshark

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 9 Jul 2010 18:08:19 -0700
On Jul 9, 2010, at 4:36 PM, Bryan Hoyt | Brush Technology wrote:

> I'm not an expert here, but isn't it possible to reduce the amount of memory used by disabling all the protocols that you don't use (or even the ones you do use, if you can live without them)?
> 
> I think a lot of the memory usage comes from the specific protocols, not just the wireshark core.

A lot of the memory usage, at least when I last checked, came from the fact that all (with the old packet list widget) or many (with the new packet list widget) of the columns require that memory be allocated for the contents of the column for each of the packets; with a lot of packets that's a lot of strings.

Disabling protocols won't help much there, unless the disabled protocols generate longer strings then the still-enabled protocols that call them.

More memory probably comes from reassembled packets; if some protocol that appears in the capture does reassembly, and you disable that protocol, that might reduce memory usage.  If that protocol supports disabling reassembly, that might also help.

Disabling protocols that don't appear in any of the packets in the capture won't do anything.