I need to do a long term capture on a server under high load and try to find session initiations with a TCP(SYN) that were not answered(SYN,ACK).
Since there is a high load on this server i thougt that I probably need capture filters so that i dont run out of memory on the server.
What i did was to add a capture filter that said "tcp[0xd]&2=2". It seems to work great. I see only SYN and SYN,ACK packets. I can then filter the capture with a display filter to look at the relevant IP address with a "ip.addr == 220.127.116.11".
My take on this is that wireshark will not use more memory than the amount of data that passes through from the capture filter.
My result is that i have ben running for 10 minutes capturing 19000 SYN and SYN,ACK packets. I have then used the display filter to narrow the result down to 48 packets. The problem is that Wireshark uses 2,43GB RAM after 10 minutes to store these 19000 packets. Some math on this says that it is using 126KB for storing each SYN/SYN,ACK.
Am i getting all this backwards somehow or could it be that more data is getting through the capture filter and stored in memory than what the capture filter says?
OS: Windows 2008 R2 Wireshark 1.8.3 64-bit
Thankfull for all help :)
asked 08 Nov '12, 07:52
Wireshark maintains state about conversations, i.e. SYN/SYN,ACK and this uses memory.
Use dumpcap to capture the data as this doesn't retain any state info. In addition you may want to set a snaplen (-s) to limit the amount of data actually captured and written to disk.
answered 08 Nov '12, 08:06