Ask Your Question

Memory leak in tshark

asked 2019-12-10 10:32:51 +0000

Pavlos gravatar image

updated 2019-12-10 14:20:19 +0000

I am getting a memory leak while trying to use tshark to monitor the traffic captured on a network interface. This can be seen by watching the resident memory usage of the tshark process, using the top command.

Since the monitoring needs to be long term and I am only interested in a single pass analysis, I launch tshark with the -M flag to perform periodic resetting of the EPAN session.

tshark -i eth0 -M 1500 -T fields -e eth.dst -e ip.version

Nevertheless, there is a slow increase in the memory consumption despite this periodic resetting.

The most confusing part is that the value provided to the -M argument seems be relevant to the problem.

This does not leak (memory periodically resets):

tshark -i eth0 -M 150000 -T fields -e eth.dst -e ip.version

This leaks (memory is ever increasing):

tshark -i eth0 -M 1500 -T fields -e eth.dst -e ip.version

The wireshark version I am using is 2.4.16, built from source, on an Ubuntu 12.04 VM. I have investigated this problem using later wireshark versions (e.g. 3.0.6) and on other operating systems (e.g. CentOS 7) but the problem persists (although for different values of -M).

Is there an explanation or a solution for this?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2019-12-11 16:27:21 +0000

Chuckc gravatar image

Good discussion in the comments about long term captures using tshark and/or dumpcap.

Bug 12231 - tshark uses ever increasing amount of memory

edit flag offensive delete link more


Thank you for your answer. The solutions proposed in this discussion concern capturing to a file.

In my case, I do not wish to export to a file, but rather print the dissected fields in the terminal (I do not wish to use the -w and -b options).

In my understanding, the -M flag should lead to similar results with regards to the memory.

Are there any additional steps I have to take so as to make -M actually reset all the memory?

Maybe something more internal such as tweaking of the wmem allocators?

Pavlos gravatar imagePavlos ( 2019-12-12 12:34:23 +0000 )edit

Adding a comment to Bug 12231 might get a better response.

Chuckc gravatar imageChuckc ( 2019-12-12 13:31:14 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-12-10 10:32:51 +0000

Seen: 306 times

Last updated: Dec 11 '19