tshark crashes: reading large packet captures via lua_script

Hi, I am trying to read and process a packet captures(pcap)of 1 GB, using tshark & lua_script using listerners, but the system memory gradually ramps up and tshark crashes when the system memory is maxed out..

Code flow is based on :

  1. Any inputs on how to handle large files this ?, Even observed this crash for 400MB+ files as well.

  2. My understanding is Listener is holding the memory of each packet until we complete the full packet capture , Is there a way to free up memory after processing every packet ?

example: tshark -q -r test.pcap -X lua_script:process.lua -X lua_script1:test.pcap

  1. Is it possible to read the packets in batches rather than loading full pcap file

Regards Dharun

1 Answer

In general tshark/wireshark will consume more and more memory as more packets are read in. The only workaround is to split the file in manageable chunks. Editcap is one tool that can be used for this purpose. That said, I haven't had problems handling files > 500 MB (other than the time it takes to filter them), so possibly there is something sub-optimal in your code.

