I am getting a memory leak while trying to use tshark to monitor the traffic captured on a network interface. This can be seen by watching the resident memory usage of the tshark process, using the top command.
Since the monitoring needs to be long term and I am only interested in a single pass analysis, I launch tshark with the -M flag to perform periodic resetting of the EPAN session.
tshark -i eth0 -M 1500 -T fields -e eth.dst -e ip.version
Nevertheless, there is a slow increase in the memory consumption despite this periodic resetting.
The most confusing part is that the value provided to the -M argument seems be relevant to the problem.
This does not leak (memory periodically resets):
tshark -i eth0 -M 150000 -T fields -e eth.dst -e ip.version
This leaks (memory is ever increasing):
tshark -i eth0 -M 1500 -T fields -e eth.dst -e ip.version
The wireshark version I am using is 2.4.16, built from source, on an Ubuntu 12.04 VM. I have investigated this problem using later wireshark versions (e.g. 3.0.6) and on other operating systems (e.g. CentOS 7) but the problem persists (although for different values of -M).
Is there an explanation or a solution for this?