Revision history [back]

Regarding https://blog.wireshark.org/2014/07/to-infinity-and-beyond-capturing-forever-with-tshark/ , I see that the -b flag "ring buffer" only applies to the live capture mode with "-i". How to handle the memory growth while reading a very large capture file using "-r" option. e.g. ./tshark -r example.pcap ??

Tried following changes to discard states : In process_cap_file(), I added following code after each process_packet_single_pass() call : if (perform_stateless_analysis) { epan_dissect_free(edt); epan_free(cf->epan); cf->epan = tshark_epan_new(cf); edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);

}

After these changes the %CPU and %MEM still seems to grow as observed by the 'top' command. The processing time also have increased drastically. If we do not want to maintain the states, is there anything else we can do to reduce the memory consumed and the processing time??

Regarding https://blog.wireshark.org/2014/07/to-infinity-and-beyond-capturing-forever-with-tshark/ , I see that the -b "-b" flag "ring buffer" only applies to the live capture mode with "-i". How to handle the memory growth while reading a very large capture file using "-r" option. e.g. ./tshark -r example.pcap ??

Tried following changes to discard states : In process_cap_file(), I added following code after each process_packet_single_pass() call :

if (perform_stateless_analysis) {
          epan_dissect_free(edt);
          epan_free(cf->epan);
          cf->epan = tshark_epan_new(cf);
          edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
 
print_details);
 }

After these changes the %CPU and %MEM still seems to grow as observed by the 'top' command. The processing time also have increased drastically. If we do not want to maintain the states, is there anything else we can do to reduce the memory consumed and the processing time??