The exact command i am using is : tshark -r my_big_capture_file -T pdml -V | myprogram
It is tshark who is running out of memory (monitored). Could the pipe have something to do with it ? On Thu, Feb 28, 2008 at 7:12 PM, Guy Harris <[EMAIL PROTECTED]> wrote: > Edouard Funke wrote: > > > We are currently using wireshark PDML export functionnality (with > > custom plugins) to export big capture files to be processed after. > > We are constantly "hitting" the out of memory problem > > (http://wiki.wireshark.org/KnownBugs/OutOfMemory) as wireshark keeps > > information on packet list and for tcp reassembly among others > > things... > > So are you saying that Wireshark is running out of memory trying to > *read* the capture, or are you saying that it can read the file but runs > out of memory trying to export the capture as PDML? > > If the latter, that's a *different* out-of-memory problem, and one I, at > least, wasn't aware of. > > If the former, at least one large consumer of memory is the memory for > all the columns in the list of packets, so... > > > > As we just want to export capture files in PDML, is there a way to > > deactivate (in code or with options) these information in order to > > process bigger captures ? > > ...you might try just using TShark with "-T pdml" rather than Wireshark; > as TShark doesn't have a display of all the columns (it only prints one > column at a time, and only does that if run without "-V" or "-T"), it > won't consume memory for that. > > It does consume memory for reassembly and other dissection-related > operations, just as Wireshark does, so using TShark might not be enough. > However, disabling *that* would cause packets to be dissected > differently, and the PDML you get from that might not be the PDML you > want (for example, it wouldn't dissect PDUs split across multiple > link-layer packets correctly). > > > > I dont know if i am asking the question in the right mailing list, > > maybe wireshark-users ? > > wireshark-users was probably the right list on which to start asking > about this. > > _______________________________________________ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev > _______________________________________________ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
