 | 1 | initial version |
It's probably a resource bottleneck problem - I usually see this if the flood of incoming packets is high, e.g. more than a few 100 MBit/s. Unless I need/want to see packets in real time I do not use Wireshark for the capture anymore, but run dumpcap directly instead (which is the tool Wireshark calls for the capture as well). Seeing packets in real time is only useful if it's slow traffic, of course, which usually doesn't give you the trouble you experience. Note that with longer run time Wireshark accumulates meta information (e.g. TCP flow correlations, expert messages etc.) which will make you run out of memory eventually. dumpcap doesn't, and can run "forever".
See this blog post for more information:
https://blog.packet-foo.com/2013/05/the-notorious-wireshark-out-of-memory-problem/
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
