This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark memory consumption and temporary file usage

0

Hi all,

I am using tshark to sniff http traffic on a very busy server. Over the course of a number of hours I see a drastic increase in memory usage and the size of the temporary file increases rapidly. Eventually the process fills the disk and memory is so high that the tool grinds to a halt.

This is the command line I am using:

tshark.exe -i3 -l -f "tcp port 80" -O http -d tcp.port==80,http -o "ip.use_geoip:FALSE" -R "not tcp.analysis.retransmission" -T fields -e ip.host -e tcp.port -e http.request.full_uri -e http.request.method -e http.response.code -e http.response.phrase -e http.content_length -e text -E separator=;2>&0

Are any of these options memory consumers or file bloaters? Is there any way I could optimize it to improve the situation?

Is there any way I can get the tshark to release its memory and or delete the temporary file periodically?

Thanks

David

asked 04 Mar '13, 11:24

David%20Sackstein's gravatar image

David Sackstein
31448
accept rate: 0%


One Answer:

0

Unfortunately no. Tshark (and Wireshark) collect state information about conversations which isn't released even when using multiple files.

The normal recommendation is to use dumpcap (or tcpdump) for long running captures with multiple files then post-process the captures with tshark.

answered 04 Mar '13, 13:41

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%