This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

From other Q&A's I've gathered that tshark may intrinsically grow without limit, and in auditing a home WLAN using low power devices (500-1000 MB RAM), I've found it runs out of memory in in 6-8 hours. The total volume of packets does not seem to be a predictor, although the volume within a short time frame (0.5 GB/hour +) may be.

I'm only looking for specific information that it seems to me should not require this accumulation of memory, and hoping there's a smarter way to get it that can prevent this:

-T fields -e frame.time -e wlan.ra -e ip.src -e ip.len \
    -e tcp.srcport -e tcp.dstport -e frame.protocols \

Auditing a WLAN introduces a complication: I cannot arbitrarily restart tshark, because a constraint of monitor mode is that it must witness each device connecting to the network in order to track that device's packets. If I restart tshark, I must also restart the WLAN to force all devices to reconnect. There are only a handful of devices involved.

Currently the filter I am using is

-Y "ip && !ip.src == 192.168.0.0/24"

Is there a way to do this which would extend tshark's potential lifespan?

asked 24 Apr '15, 08:36

mk27's gravatar image

mk27
21337
accept rate: 0%

edited 24 Apr '15, 08:42


This is a limitation of tshark (and Wireshark) as they are packet analysers not network monitors and retain state information such as conversations and eventually will run out of memory as you have found. The rate of memory use is more down to the relationship between the packets rather than packet size.

I think you'll have to look for another tool to meet your requirements, which seem to involve WLAN decryption along with tcp port info and possibly other protocols in the frame.

permanent link

answered 24 Apr '15, 08:56

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

I'd forgotten about Evan's changes. Does WLAN decryption still work after a buffer changeover?

(27 Apr '15, 07:34) grahamb ♦

You could give a try to tshark from 1.99.X branch combined with the -b flag. See this blog post for details.

permanent link

answered 24 Apr '15, 11:34

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

The problem is not the output. It is the memory footprint of the tshark process; it continuously grows until the system runs out of RAM, then the OS kernel kills it.

(25 Apr '15, 05:43) mk27

With the flag I indicated, the memory will be released each time you start a new buffer, thus solving the memory growth.

(25 Apr '15, 06:19) Pascal Quantin
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×349
×10

question asked: 24 Apr '15, 08:36

question was seen: 2,863 times

last updated: 27 Apr '15, 07:34

p​o​w​e​r​e​d by O​S​Q​A