This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi all,

I am using tshark to sniff http traffic on a very busy server. Over the course of a number of hours I see a drastic increase in memory usage and the size of the temporary file increases rapidly. Eventually the process fills the disk and memory is so high that the tool grinds to a halt.

This is the command line I am using:

tshark.exe -i3 -l -f "tcp port 80" -O http -d tcp.port==80,http -o "ip.use_geoip:FALSE" -R "not tcp.analysis.retransmission" -T fields -e ip.host -e tcp.port -e http.request.full_uri -e http.request.method -e http.response.code -e http.response.phrase -e http.content_length -e text -E separator=;2>&0

Are any of these options memory consumers or file bloaters? Is there any way I could optimize it to improve the situation?

Is there any way I can get the tshark to release its memory and or delete the temporary file periodically?

Thanks

David

asked 04 Mar '13, 11:24

David%20Sackstein's gravatar image

David Sackstein
31448
accept rate: 0%


Unfortunately no. Tshark (and Wireshark) collect state information about conversations which isn't released even when using multiple files.

The normal recommendation is to use dumpcap (or tcpdump) for long running captures with multiple files then post-process the captures with tshark.

permanent link

answered 04 Mar '13, 13:41

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×91
×55
×23
×4
×1

question asked: 04 Mar '13, 11:24

question was seen: 2,806 times

last updated: 04 Mar '13, 13:41

p​o​w​e​r​e​d by O​S​Q​A