This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark aborts after approx. 2 days

0

I'm using Wireshark to try and capture some very rare events that occur very infrequently (months between) but Wireshakr shutsdown after a couple of days. It's configured to use ring buffered, multiple trace files, but when I return to the machine after more than 2/3 days Wireshark is not running. There is plenty of RAM and disc space. I've asked other people and get the answer"It just does that" which is not a lot of use to me. Any help would be greatly appeciated. Thanks.

asked 16 Sep '10, 09:14

dorsetsteve's gravatar image

dorsetsteve
1111
accept rate: 0%


One Answer:

5

Wireshark keeps state-information and reassembled data in memory. This means that even if you write to several files to disk, the memory use does increase over time. See: http://wiki.wireshark.org/KnownBugs/OutOfMemory

You can use 'dumpcap' to do the capturing instead, I have used dumpcap to capture a rare problem too and it has been running for months. The syntax you could use is:

dumpcap -i interface -w file -b filesize:16384 -b files:1024

which will create 1024 files of 16MB, giving you a 16GB ringbuffer. When the problem occurs, just stop dumpcap and use wireshark (or tshark) to analyse the files.

answered 16 Sep '10, 09:48

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%