Wireshark 1.10.5, installed just today on w2k8 r2 system.
Normally I run Wireshark on Linux (openSUSE 12.x still, x86_64) and use it for hours on end and it's just fine. Today I needed to do some SSL decryption so I had to fire up a VM and install Wireshark there. Getting the latest and installing it everything is fine, I can filter into the stream I want (tcp.port==636), packet decryption works, but memory growth is incredible. What starts as a 72 MB process (as shown in default Task Manager) while opening these little 200 or 900 KB files quickly balloons up past a couple hundred GB. In each case after getting into the trace for a while (maybe fifteen minutes of poking through a stream packet by packet, maybe one hundred packets or so until I get to the end of the stream) Wireshark has taken so much memory that it starts erroring and eventually windows tells me that it is a bad process and kills it. Restarting everything is fine again, the problem continues. Just now to do some verification, I scrolled quickly through about forty packets of SSLized LDAP packets, just going through the packet list, and the memory footprint went from 190 MB to 390 MB. Scrolling back down through the same list gets me up to 620 MB.
I know that memory growth is not a memory leak, but this is not normal memory growth, and having the application crash with a < 1 MB file open on any system is probably pushing the limits of what should ever happen. I do not know if this is related to the SSL decryption, but it could be. Otherwise, these traces were taken with tcpdump on SUSE Linux Enterprise Server (SLES) 11 SP3 x86_64 filtering on ports 53, 389, 524, and 636.
asked 10 Jan '14, 11:51
Sounds more like a memory leak to me, but this is something the developers may have to take a look at. If you can provide the trace and the steps to reproduce the problem you could open a bug at Bugzilla. Even if you can't share the trace you could at least describe how the problem may be reproducible.
answered 10 Jan '14, 17:21