This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Memory Consumption

0

The new version of wireshark 1.6.8 + are consuming excessive amounts of RAM memory, and has used up all the memory on the machine I am using.

Are you planning to go back to how 1.2.7 works, not using local RAM or at least minimize it so it doesn't grow more than 5 mb of memory.

with this memory usage on 1.6.8 and up, we cannot upgrade because this causes our servers problems when we are doing long term packet captures.

Also in 1.8.0, what happened to all the capture information in the options? how do I get those back?

Thanks Geoff

[email protected]pivotinc.com

asked 20 Jul '12, 11:38

PapaPanthers's gravatar image

PapaPanthers
1111
accept rate: 0%

Also in 1.8.0, what happened to all the capture information in the options? how do I get those back?

To what capture information are you referring here?

(20 Jul '12, 14:00) Guy Harris ♦♦

3 Answers:

2

Unfortunately more features means more memory usage :-(

Wireshark isn't the tool of choice for long term captures as it maintains state info about the captured packets so will always run out of memory eventually. Dumpcap will capture without retaining state so can be used for longer captures, but even that may cause issues as the capture files grows ever larger. In this case use the Dumpcap -b options to limit each capture file by size or time.

answered 20 Jul '12, 12:36

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

It really is not OK, I was analysing IAX phone call, 1 minute of traffic (70 packets 100 bytes long) consumed several hundreds MBytes of memory in Wireshark 1.10, co I was trying older and older versions (latest from each stable branch). 1.6 and newer exhibit this problem, versions up to 1.4 are OK - described traffic consumed just few MBytes, that means that memory consumption between versions 1.4 and 1.6 increased hundred fold.

(25 Aug '13, 14:40) xtonda

If you really have a 7k capture that causes Wireshark to consume several hundred MB of memory please raise an issue at the Wireshark bugzilla adding your capture as an attachment. Note that without a sample capture it's more difficult for developers to ascertain the nature of the problem and this difficulty can exceed the motivation available to resolve the issue.

(26 Aug '13, 02:01) grahamb ♦

0

The Out of Memory problem has been known since at least September 2005. Version 1.2.7 was released on March 31, 2010.

As suggested elsewhere, you should use dumpcap for long running captures, not Wireshark.

answered 20 Jul '12, 12:42

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

0

Are you planning to go back to how 1.2.7 works, not using local RAM or at least minimize it so it doesn't grow more than 5 mb of memory.

1.2.7, and every version of the software back to Ethereal 0.1, uses local RAM (as does every other application on your machine). Later versions might use more memory to store reassembled packet data, keep track of relationships between packets, etc.. We have, over time, made some changes to reduce the memory consumption of the packet list display (by using a different widget) and the table of all packets (by allocating them in bulk and not keeping two pointers in every entry in the table).

answered 20 Jul '12, 14:00

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

If you are on Windows it is possible you are the victim of a GTK+ bug affecting Windows server where large amounts of memory are lost when the screen is updated or something like that. It might be related to remote desktop as well.

(26 Aug '13, 00:21) Anders ♦