Hi all, I'm using tshark to capture data. Normally, my tshark can run in 12 days but yesterday, it suddenly crashed after 2 days of running. On the screen displayed, I didn't see any error. Here is my command: About the cronjob, I use 2 cronjob to delete old files: I'm pretty sure that is is not out of memory or disk space because if so, it was written in the log. No core dump or segmentation fault. My output log is:
So, nothing wrong except the message in the /var/log
Dec 17 19:03:12 it crashed and never entered back to this mode until I run tshark again on Dec 18 09:12:41. This is exact time my tshark crashed and em3 is my card where I capture data from. I don't know what it means and how to solve this problem. Please help me if you have any idea about this. Thank you so much. asked 17 Dec '13, 18:00  hoangsonk49 edited 17 Dec '13, 19:00 |
One Answer:
As you've been informed many times, tshark (and Wireshark) are liable to run out of memory when run continuously. Until you can come with a convincing explanation as to why this isn't the case with your current issue, most folks are going to assume it's yet another out of memory report. answered 18 Dec '13, 02:35  grahamb ♦ |
Hi Grahamb, I'm pretty sure that is not the problem of memory because of 2 reasons:
Of course, these reasons are not perfectly to be sure that it is not a problem of memory but as my experience, it quite convinces me. Please feel free to contribute your comment or any idea. ThanksHi Grahamb, I'm pretty sure that is not the problem of memory because of 2 reasons:
You did not post the output of nohup.out, so we can not see that there are no errors!
The length of time that tshark can run is related to the traffic captured, not the elapsed run time. Are you 100% certain that during this run the traffic being captured did not change from your previous runs?
The traffic may also have triggered a dissector bug, did you retain the capture file from when it crashed, and if so can it be read by tshark?
I did post. It is output log and I did check but there is no error or core dump or segmentation fault in the whole file. Because it is too large, so I show only some last lines before it stopped:
These are last lines in the output log of nohup command
I fully understand that the running of tshark is related to the traffic, so I checked with some engineers from the Telecom Operator, they confirmed that at that time, there was no error with the network. Also, he showed me the statistic of traffic on that day but it was normal, similar to other days.
After it stopped, I collected all the related logs and also the .pcap. I use Wireshark on my PC to read .pcap file, compare some last information in .pcap with output of nohup, with my log written by code but found nothing. All information is identical.
I ask this question because I think maybe the message "device em3 left promiscuous mode" (/var/log/message) could be the clue to find out the reason, and you might have experience with this message but after searching and reading some articles, I understand that this message is just a result, not a reason or clue. So I have nothing else to analyze to find the root cause. I will check the code and print more information to the log.