This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark memory consumption increasing continuously

0

Hi,

I written an application in C Language which uses tshark to apply the display filter. Application sends PDUs to tshark over stdin and receive filtered PDUs over stdout. I am using following command while launching tshark in child process

tshark -r - -R "Filter Expression" -w - -q -s0

This application runs continuously which send around 4000 PDUs/sec to thsark for filtering.

But the memory consumption of tshark is continuously increasing. After 10-12 hours, tshark was using 2.2 GB of memory. I have to kill tshark and restart to free-up memory usage.

I gone through http://wiki.wireshark.org/KnownBugs/OutOfMemory wiki page.

Is there any way to restrict the memory consumption of tshark??

asked 05 May '13, 02:30

friends's gravatar image

friends
21448
accept rate: 0%


One Answer:

1

Wireshark and tshark keep state of past connections to be able to dissect future packets properly. There is no mechanism in Wireshark or Tshark that flushes the state information. In Wireshark it is needed to be able to dissect a packet properly when it will be clicked on and even though tsharks one-pass design might make it possible to flush stale data, it uses the same engine as Wireshark.

Are you depending on display filters? What are you filtering on? Can capture (BPF) filters be used?

answered 05 May '13, 02:36

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Yes, I need display filters. I need filtering of many fields of gsm_map layer (for example, msisdn). Capture filter does not provide all those filtering capability.

(06 May '13, 20:13) friends