I am using tshark to sniff http traffic on a very busy server. Over the course of a number of hours I see a drastic increase in memory usage and the size of the temporary file increases rapidly. Eventually the process fills the disk and memory is so high that the tool grinds to a halt.
This is the command line I am using:
tshark.exe -i3 -l -f "tcp port 80" -O http -d tcp.port==80,http -o "ip.use_geoip:FALSE" -R "not tcp.analysis.retransmission" -T fields -e ip.host -e tcp.port -e http.request.full_uri -e http.request.method -e http.response.code -e http.response.phrase -e http.content_length -e text -E separator=;2>&0
Are any of these options memory consumers or file bloaters? Is there any way I could optimize it to improve the situation?
Is there any way I can get the tshark to release its memory and or delete the temporary file periodically?
asked 04 Mar '13, 11:24
Unfortunately no. Tshark (and Wireshark) collect state information about conversations which isn't released even when using multiple files.
The normal recommendation is to use dumpcap (or tcpdump) for long running captures with multiple files then post-process the captures with tshark.
answered 04 Mar '13, 13:41