|Main Archive Page > Month Archives > wireshark-dev archives|
John Sullivan wrote:
> On Tuesday, October 12, 2010, 3:27:09 PM, Jeff Morriss wrote:
>> I think composite tvbuffs probably do work, but their use is hindered by
>> the fact that each tvb that you get (each time a frame is handed to your
>> dissector) is freed/reused after the packet is dissected. That is,
>> Wireshark does _not_ keep the entire capture file in memory. Because of
>> that, there's relatively little need/use for the composite functions and
>> it's why you need to allocate copies of whatever data you want to
> This. I was digging into the RTMPT dissector again over the weekend,
> hoping I could move from allocating memory for every reassembled pdu
> to just creating composite tvbs overlaying the original packets. This
> would have been a big win memory-wise, since the reassembled packets
> have to live for the entire capture session (multiple non-contiguous
> chunks based on multiple prior TCP segments), but turns out not to be
> possible for the above reason.
> So it looks like it's necessary to either tvb_memdup from the original
> data, then add a tvb_new_real_data to a composite and use that, or
> se_alloc the entire buffer up front, tvb_memcpy into it and use a
> tvb_new_real_data from that which has a lower overhead in terms of
> tvbuff structures.
> (I have a concern that neither of those will free up the used memory.
> tvb_memdup uses g_malloc and there is no notification of when this is
> safe to free so AFAICS it is leaked. The se_alloced blocks will of
> course be freed once the capture is closed, but what of the extra tvb
> structures on top of them? I presume they are permanent rather than
> seasonal so ought to be tvb_freed at some point, but again I can't see
> any notification of when that should happen, so it doesn't.)
The tvb structures should be freed whenever they're not used any more.
If you want to g_malloc() the data, you can use tvb_set_free_cb(). From
* Although you may call tvb_free(), the tvbuff may still be in use
* by other tvbuff's (TVBUFF_SUBSET or TVBUFF_COMPOSITE), so it is not
* safe, unless you know otherwise, to free your guint8* data. If you
* cannot be sure that your TVBUFF_REAL_DATA is not in use by another
* tvbuff, register a callback with tvb_set_free_cb(); when your tvbuff
* is _really_ freed, then your callback will be called, and at that time
* you can free your original data.
An example from packet-data.c:
guint8 *real_data = tvb_memdup(tvb, 0, bytes);
data_tvb = tvb_new_child_real_data(tvb,real_data,bytes,bytes);
Sent via: Wireshark-dev mailing list <firstname.lastname@example.org>