This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I written an application in C Language which uses tshark to apply the display filter. Application sends PDUs to tshark over stdin and receive filtered PDUs over stdout. I am using following command while launching tshark in child process

tshark -r - -R "Filter Expression" -w - -q -s0

This application runs continuously which send around 4000 PDUs/sec to thsark for filtering.

But the memory consumption of tshark is continuously increasing. After 10-12 hours, tshark was using 2.2 GB of memory. I have to kill tshark and restart to free-up memory usage.

I gone through http://wiki.wireshark.org/KnownBugs/OutOfMemory wiki page.

Is there any way to restrict the memory consumption of tshark??

asked 05 May '13, 02:30

friends's gravatar image

friends
21448
accept rate: 0%


Wireshark and tshark keep state of past connections to be able to dissect future packets properly. There is no mechanism in Wireshark or Tshark that flushes the state information. In Wireshark it is needed to be able to dissect a packet properly when it will be clicked on and even though tsharks one-pass design might make it possible to flush stale data, it uses the same engine as Wireshark.

Are you depending on display filters? What are you filtering on? Can capture (BPF) filters be used?

permanent link

answered 05 May '13, 02:36

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Yes, I need display filters. I need filtering of many fields of gsm_map layer (for example, msisdn). Capture filter does not provide all those filtering capability.

(06 May '13, 20:13) friends
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×10
×3

question asked: 05 May '13, 02:30

question was seen: 2,159 times

last updated: 06 May '13, 20:13

p​o​w​e​r​e​d by O​S​Q​A