Ask Your Question
0

tshark main memory usage are high

asked 2022-01-18 07:35:38 +0000

ajay3107 gravatar image

I am tying to see if at all we have any easy way to strip off tshark from wireshark source code, so that it just decodes input pcap with less memory foot prints. Currently main memory utilization by the tshark is approx 129 MB and shared memory as approx 70 MB in ideal situation.

I was trying to check if I can remove the lib dependency (wiretap, wireshark etc) from tshark exe on my linux box. But looks like its not that loosely coupled and cribs during build.

Kindly let me know if its possible to shrink the memory footprint of tshark to 50 MB or less?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-01-18 21:43:16 +0000

Guy Harris gravatar image

updated 2022-01-18 23:15:01 +0000

I was trying to check if I can remove the lib dependency (wiretap, wireshark etc) from tshark

Not if you want TShark to be able to read all the file types Wireshark reads and do all the dissection Wireshark does. libwiretap is the code both Wireshark and TShark use to read capture files and libwireshark is the code both Wireshark and TShark use to dissect packets.

I.e., you'd have to write your own replacements for libwiretap and libwireshark, at which point you've pretty much written your own packet analyzer.

Or you could use tcpdump.

edit flag offensive delete link more

Comments

When I am trying to use tcpdump for decoding 4g NAS messages, I am getting below error. tcpdump: packet printing is not supported for link type 252: use -w

I am not sure if tcpdump can be used to perform the decoding of 4G NAS messages, from the pcap file. Basically I want to decode this packet and print field by field the way tshark use to perform, could you pls highlight if that's possible using tcpdump?

ajay3107 gravatar imageajay3107 ( 2022-01-19 08:40:16 +0000 )edit

If you add support in tcpdump for DLT_WIRESHARK_UPPER_PDU, and the appropriate "upper PDU" type, it would be possible. That would require some work, however.

Guy Harris gravatar imageGuy Harris ( 2022-01-20 09:50:30 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-01-18 07:35:38 +0000

Seen: 280 times

Last updated: Jan 19 '22