THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Memory leak in tshark

I am getting a memory leak while trying to use tshark to monitor the traffic captured on a network interface. This can be seen by watching the resident memory usage of the tshark process, using the top command.

Since the monitoring needs to be long term and I am only interested in a single pass analysis, I launch tshark with the -M flag to perform periodic resetting of the EPAN session.

tshark -i eth0 -M 1500 -T fields -e eth.dst -e ip.version

Nevertheless, there is a slow increase in the memory consumption despite this periodic resetting.

The most confusing part is that the value provided to the -M argument seems be relevant to the problem.

This does not leak (memory periodically resets):

tshark -i eth0 -M 150000 -T fields -e eth.dst -e ip.version

This leaks (memory is ever increasing):

tshark -i eth0 -M 1500 -T fields -e eth.dst -e ip.version

The wireshark version I am using is 2.4.16, built from source, on an Ubuntu 12.04 VM. I have investigated this problem using later wireshark versions (e.g. 3.0.6) and on other operating systems (e.g. CentOS 7) but the problem persists (although for different values of -M).

Is there an explanation or a solution for this?

Pavlos's avatar
1
Pavlos
asked 2019-12-10 10:32:51 +0000, updated 2019-12-10 14:20:19 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Good discussion in the comments about long term captures using tshark and/or dumpcap.

Bug 12231 - tshark uses ever increasing amount of memory
https://bugs.wireshark.org/bugzilla/s...

Chuckc's avatar
3k
Chuckc
answered 2019-12-11 16:27:21 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you for your answer. The solutions proposed in this discussion concern capturing to a file.

In my case, I do not wish to export to a file, but rather print the dissected fields in the terminal (I do not wish to use the -w and -b options).

In my understanding, the -M flag should lead to similar results with regards to the memory.

Are there any additional steps I have to take so as to make -M actually reset all the memory?

Maybe something more internal such as tweaking of the wmem allocators?

Pavlos's avatar Pavlos (2019-12-12 12:34:23 +0000) edit
more
  • delete

Adding a comment to Bug 12231 might get a better response.

Chuckc's avatar Chuckc (2019-12-12 13:31:14 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer