This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I recently upgraded my Wireshark from 1.x to 2.2.2 and noticed that the memory usage on Wireshark is excessively high. For example, I have a 2MB capture file and when I opened it in 2.2.2, it used almost 500MB of RAM. If I open the same file on 1.x, the memory was about 128MB.

Has anybody seen something like this before?

Thanks,

Blanco

asked 11 Dec '16, 19:36

blam008's gravatar image

blam008
6112
accept rate: 0%

On what OS are you running Wireshark?

Can you try this with the "legacy" version of 2.2.2? That might determine whether it's an issue with the 2.2.2 dissector core or with the Qt user interface (the "legacy" version uses the GTK+ UI but uses the exact same dissector core as the Qt version).

(12 Dec '16, 01:41) Guy Harris ♦♦

Can you share the capture in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc.?

(12 Dec '16, 02:25) grahamb ♦

@Guy - I'm using this Win7 SP1 and I also tried the legacy version of 2.2.2 with the same result.

@grahamb - here's the link to the packet capture

https://www.dropbox.com/s/3z7wariqjl7bf52/CFE_lan0_0_2016-12-11-23-33-36.cap0?dl=0

Thanks!

(12 Dec '16, 03:42) blam008

Or it could be related to a preference setting. To confirm this, you could make a backup of your personal configuration folder (location found in Help -> About Wireshark -> Folders), empty it and restart Wireshark (it will take the default settings).

If it changes the behavior, then we could investigate which setting is impacting, and whether it is expected or not. For example, are you doing some TLS decryption? If yes, what's the memory usage if you remove the keys?

permanent link

answered 13 Dec '16, 05:11

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

Bingo! Perfect Pascal, it was indeed the pre-master log file for SSL that was causing the issue. The log file I had was 24MB and that triggered this problem. Once I remove that, memory usage went back to normal.

Thank you all for your help!

Blanco

(13 Dec '16, 06:34) blam008

Using your capture file and Wireshark portable 1.12.13 and 2.2.2, and checking the working set using Process Explorer I see a very small difference in the size before and after loading the capture:

  • 1.12.13, before 84 MB, after 88 MB
  • 2.2.2, before 86 MB, after 92 MB

How did you determine the memory usage has increased? Did you compare before and after loading the file, and did you do anything else while the capture was loaded?

permanent link

answered 12 Dec '16, 06:42

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 13 Dec '16, 05:05

I tried the portable version as well for 2.2.2 and sure enough, the problem doesn't exist. Now I'm wondering whether the issue has to do with 64bit version vs the 32bit version. The installed version that I'm having trouble with is 64bit.

As for determining memory usage, I used Windows Task Manager | Processes. When I loaded 64bit Wireshark, it started off at about 58MB. When I opened the capture file, it jumped to around 500MB.

(13 Dec '16, 04:25) blam008

Using a 64 bit build from master (2.3.0-rc) I see an increase (using Task Manager) from 65 MB to 71 MB when the file is opened.

Can you replicate the issue?

(13 Dec '16, 05:09) grahamb ♦

I was having extreme memory consumption issues, and Wireshark was going into a "not responding" state regularly. As a test I started task manager (to watch memory usage) then started a wireshark capture on my laptop wired connection with nothing much going on.
The capture lasted four minutes. During that time, only 6,000 packets were captured.
But there were three occasions when Wireshark went "Not responding" during that time, and while "not responding" I could see the consumed memory ramping up rapidly.
With the hints from blam008 and Pascal, I looked at Edit>Prefernces>Protocols>SSL>(pre)-master-secrets log file and found it pointed to d:\temp\sslkeylog.log.
I found this file was large (122Mb) and locked by Chrome for significant periods of time. Thunderbird also uses it.
I closed all applications which seemed to be using it, and renamed the file (hey - it is in \temp\ - what could possibly go wrong?)
Now, I am able to leave Wireshark running for significant periods without it hanging and gobbling up memory. As far as I can see, nothing ever "trims" this log, so on a busy PC (and mine is) it is going to just keep growing, and it would appear that Wireshark does not like dealing with this, especially when other applications "hog" it for significant periods of time.

permanent link

answered 15 Jun '17, 12:10

boatbodger's gravatar image

boatbodger
62
accept rate: 0%

edited 15 Jun '17, 12:51

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×23
×9

question asked: 11 Dec '16, 19:36

question was seen: 3,309 times

last updated: 19 Jun '17, 11:12

p​o​w​e​r​e​d by O​S​Q​A