First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark main memory usage are high

I am tying to see if at all we have any easy way to strip off tshark from wireshark source code, so that it just decodes input pcap with less memory foot prints. Currently main memory utilization by the tshark is approx 129 MB and shared memory as approx 70 MB in ideal situation.

I was trying to check if I can remove the lib dependency (wiretap, wireshark etc) from tshark exe on my linux box. But looks like its not that loosely coupled and cribs during build.

Kindly let me know if its possible to shrink the memory footprint of tshark to 50 MB or less?

ajay3107's avatar
1
ajay3107
asked 2022-01-18 07:35:38 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

I was trying to check if I can remove the lib dependency (wiretap, wireshark etc) from tshark

Not if you want TShark to be able to read all the file types Wireshark reads and do all the dissection Wireshark does. libwiretap is the code both Wireshark and TShark use to read capture files and libwireshark is the code both Wireshark and TShark use to dissect packets.

I.e., you'd have to write your own replacements for libwiretap and libwireshark, at which point you've pretty much written your own packet analyzer.

Or you could use tcpdump.

Guy Harris's avatar
19.9k
Guy Harris
answered 2022-01-18 21:43:16 +0000, updated 2022-01-18 23:15:01 +0000
edit flag offensive 0 remove flag delete link
more

Comments

When I am trying to use tcpdump for decoding 4g NAS messages, I am getting below error. tcpdump: packet printing is not supported for link type 252: use -w

I am not sure if tcpdump can be used to perform the decoding of 4G NAS messages, from the pcap file. Basically I want to decode this packet and print field by field the way tshark use to perform, could you pls highlight if that's possible using tcpdump?

ajay3107's avatar ajay3107 (2022-01-19 08:40:16 +0000) edit
more
  • delete

If you add support in tcpdump for DLT_WIRESHARK_UPPER_PDU, and the appropriate "upper PDU" type, it would be possible. That would require some work, however.

Guy Harris's avatar Guy Harris (2022-01-20 09:50:30 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer