This is our old Q&A Site. Please post any new questions and answers at

Hi all,

I am using tshark to sniff http traffic on a very busy server. Over the course of a number of hours I see a drastic increase in memory usage and the size of the temporary file increases rapidly. Eventually the process fills the disk and memory is so high that the tool grinds to a halt.

This is the command line I am using:

tshark.exe -i3 -l -f "tcp port 80" -O http -d tcp.port==80,http -o "ip.use_geoip:FALSE" -R "not tcp.analysis.retransmission" -T fields -e -e tcp.port -e http.request.full_uri -e http.request.method -e http.response.code -e http.response.phrase -e http.content_length -e text -E separator=;2>&0

Are any of these options memory consumers or file bloaters? Is there any way I could optimize it to improve the situation?

Is there any way I can get the tshark to release its memory and or delete the temporary file periodically?



asked 04 Mar '13, 11:24

David%20Sackstein's gravatar image

David Sackstein
accept rate: 0%

Unfortunately no. Tshark (and Wireshark) collect state information about conversations which isn't released even when using multiple files.

The normal recommendation is to use dumpcap (or tcpdump) for long running captures with multiple files then post-process the captures with tshark.

permanent link

answered 04 Mar '13, 13:41

grahamb's gravatar image

grahamb ♦
accept rate: 22%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 04 Mar '13, 11:24

question was seen: 3,108 times

last updated: 04 Mar '13, 13:41

p​o​w​e​r​e​d by O​S​Q​A