Wireshark crash with a two instance long time capture

0

Hi, my wireshark crashed over night.

Short Version -> I had two instances of Wireshark running. For a long time capture over the weekend I configured multiple capture files (One file every 100MB). It seems like there was a memory overrun anyway. Any idea how to prevent my Shark from crashing?

Long Version -> I'm testing a network device with different scenarios. Tests might run over several days. To have a capture in case of errors occuring I use a Network Tap and a Monitor PC with two NIC and Wireshark installed. For both Wireshark instances (one for send and one for receive direction) a ring buffer with 200 files x 100MB is configured. The OS is Win Server2008R2 64Bit, the message I get is something like "GLib-Error**: gmem.c:136: failed to allocate 429496295 bytes aborting..." The capture aborted after about 7GB of capturefiles, 4GB of memory are installed on the machine.

I could try to use a second monitor PC, more RAM or a different OS but I hope you give me some ideas before I spend some hours on experiments :)

asked 02 Nov '11, 06:26

ratlos's gravatar image

ratlos
1111
accept rate: 0%

One Answer:
oldestnewestmost voted
3

Hi,

From the Wireshark Wiki:

If Wireshark is running out of memory, that probably means that you're letting it run for a very long time or you're analyzing very large capture files. You may find that another tool does what you want better than Wireshark. Use dumpcap for long term capturing, it's intended for this purpose, or see Tools for other tools which may be more suitable for the task

dumpcap

link

answered 02 Nov '11, 07:18

Anders's gravatar image

Anders ♦
1.9k126
accept rate: 15%

edited 02 Nov '11, 09:30

multipleinterfaces's gravatar image

multipleinte...
1.1k71229

Hi Anders,

thank you for your answer! The disadvantage in my case is, that I want some window where I can see the live traffic (at least during working hours). So a possibility would be to use dumpshark and wireshark simultanously. Dumpshark running with a ringbuffer while wireshark is opened and closed by a script at regular intervals (which should clean up the memory).

But perhaps there is another tool just for the memory cleaning? Or some other way to handle this bug?

(02 Nov '11, 09:41) ratlos
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×468
×17
×11
×4
×2

Asked: 02 Nov '11, 06:26

Seen: 1,349 times

Last updated: 02 Nov '11, 09:41

Related questions

Multiple concurrent Wireshark sessions

Wireshark not releasing memory back to OS while open...

capture ring buffer problem

[closed] how to capture using dumpcap

Memory Leak in 1.6.8?

Loading more than 1GB PCAP file

Wireshark showing lot of TCP retransmissions - Is it real Retransmission or Wireshark showing incorrectly

can i have two separate builds of wireshark running on my ubuntu?

problem with dissector_add function..

port mirroring with wireshark

about | faq | privacy | support | contact

powered by OSQA