See
https://code.wireshark.org/review/15138/
https://code.wireshark.org/review/15139
They at least put a dent in it.
-----Original Message-----
From: Guy Harris <[email protected]>
To: Developer support list for Wireshark <[email protected]>
Sent: Mon, Apr 25, 2016 8:00 pm
Subject: [Wireshark-dev] TCP conversation analysis can be expensive, and you
can't disable it
When I read the capture file mentioned in bug 12367
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12367
it eats about 6-8GB on my machine.
A large amount of that data is in structures allocated by
init_tcp_conversation_data(), which is called by get_tcp_conversation_data() if
there isn't already one for the conversation.
get_tcp_conversation_data() is *always* called by dissect_tcp(), so you can't
disable that analysis.
So if you're reading a large capture file with a lot of TCP connections, make
sure you're on a 64-bit machine that has plenty of memory and that either has
or can allocate plenty of swap space to back it if necessary.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
