This is a static archive of our old Q&A Site. Please post any new questions and answers at

tshark memory consumption and temporary file usage


Hi all,

I am using tshark to sniff http traffic on a very busy server. Over the course of a number of hours I see a drastic increase in memory usage and the size of the temporary file increases rapidly. Eventually the process fills the disk and memory is so high that the tool grinds to a halt.

This is the command line I am using:

tshark.exe -i3 -l -f "tcp port 80" -O http -d tcp.port==80,http -o "ip.use_geoip:FALSE" -R "not tcp.analysis.retransmission" -T fields -e -e tcp.port -e http.request.full_uri -e http.request.method -e http.response.code -e http.response.phrase -e http.content_length -e text -E separator=;2>&0

Are any of these options memory consumers or file bloaters? Is there any way I could optimize it to improve the situation?

Is there any way I can get the tshark to release its memory and or delete the temporary file periodically?



asked 04 Mar '13, 11:24

David%20Sackstein's gravatar image

David Sackstein
accept rate: 0%

One Answer:


Unfortunately no. Tshark (and Wireshark) collect state information about conversations which isn't released even when using multiple files.

The normal recommendation is to use dumpcap (or tcpdump) for long running captures with multiple files then post-process the captures with tshark.

answered 04 Mar '13, 13:41

grahamb's gravatar image

grahamb ♦
accept rate: 22%