Wireshark Memory Bloat on VoIP capture files

Wireshark is a really neat tool for analyzing phone calls. But when
you load a 100 MB capture file of VoIP calls, you need much more than
100 MB of RAM. But how much more?

Here's a data point from which you can make a line: a 326.15 MB PCAP
file contained lots of SIP, and a little RTP. This wasn't a raw
capture file; I had thrown away a lot of the RTP and RTCP.

The file compressed to 121.15 MB using gzip. Then when Wireshark
opened it, and then generated a "VoIP Calls" analysis, the resident
memory size was 610.52 MB. That means Wireshark needs about 1.87-times
as much RAM as there are bytes in the input file, in this case.

So if I can dedicate 1 GB RAM to opening a capture file, I can
probably handle a PCAP file that's about 530 MB uncompressed.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s