Hi, I recently upgraded my Wireshark from 1.x to 2.2.2 and noticed that the memory usage on Wireshark is excessively high. For example, I have a 2MB capture file and when I opened it in 2.2.2, it used almost 500MB of RAM. If I open the same file on 1.x, the memory was about 128MB. Has anybody seen something like this before? Thanks, Blanco asked 11 Dec '16, 19:36  blam008 |
3 Answers:
Or it could be related to a preference setting. To confirm this, you could make a backup of your personal configuration folder (location found in Help -> About Wireshark -> Folders), empty it and restart Wireshark (it will take the default settings). If it changes the behavior, then we could investigate which setting is impacting, and whether it is expected or not. For example, are you doing some TLS decryption? If yes, what's the memory usage if you remove the keys? answered 13 Dec '16, 05:11  Pascal Quantin Bingo! Perfect Pascal, it was indeed the pre-master log file for SSL that was causing the issue. The log file I had was 24MB and that triggered this problem. Once I remove that, memory usage went back to normal. Thank you all for your help! Blanco (13 Dec '16, 06:34) blam008 |
Using your capture file and Wireshark portable 1.12.13 and 2.2.2, and checking the working set using Process Explorer I see a very small difference in the size before and after loading the capture:
How did you determine the memory usage has increased? Did you compare before and after loading the file, and did you do anything else while the capture was loaded? answered 12 Dec '16, 06:42  grahamb ♦ edited 13 Dec '16, 05:05 I tried the portable version as well for 2.2.2 and sure enough, the problem doesn't exist. Now I'm wondering whether the issue has to do with 64bit version vs the 32bit version. The installed version that I'm having trouble with is 64bit. As for determining memory usage, I used Windows Task Manager | Processes. When I loaded 64bit Wireshark, it started off at about 58MB. When I opened the capture file, it jumped to around 500MB. (13 Dec '16, 04:25) blam008 Using a 64 bit build from master (2.3.0-rc) I see an increase (using Task Manager) from 65 MB to 71 MB when the file is opened. Can you replicate the issue? (13 Dec '16, 05:09) grahamb ♦ |
I was having extreme memory consumption issues, and Wireshark was going into a "not responding" state regularly. As a test I started task manager (to watch memory usage) then started a wireshark capture on my laptop wired connection with nothing much going on. answered 15 Jun '17, 12:10  boatbodger edited 15 Jun '17, 12:51 |
On what OS are you running Wireshark?
Can you try this with the "legacy" version of 2.2.2? That might determine whether it's an issue with the 2.2.2 dissector core or with the Qt user interface (the "legacy" version uses the GTK+ UI but uses the exact same dissector core as the Qt version).
Can you share the capture in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc.?
@Guy - I'm using this Win7 SP1 and I also tried the legacy version of 2.2.2 with the same result.
@grahamb - here's the link to the packet capture
https://www.dropbox.com/s/3z7wariqjl7bf52/CFE_lan0_0_2016-12-11-23-33-36.cap0?dl=0
Thanks!