"No buffer space available" reported when capturing high-volume traffic on nflog device on Linux
When my tshark program was running in the background, I used the SFTP protocol to download resources on the server. At this time, tshark reported the following error:
$ tshark -ni nflog:40 -w capturefile.pcap -b filesize:131072 -b files:120
Running as user "root" and group "root". This could be dangerous.
Capturing on 'nflog:40'
6654 tshark: Error while capturing packets: Can't receive packet 105:No buffer space available
Please report this to the Wireshark developers.
https://bugs.wireshark.org/
(This is not a crash; please do not report it as such.)
I checked my memory usage, and the swap space was very big.
Tasks: 99 total, 1 running, 98 sleeping, 0 stopped, 0 zombie
%Cpu(s): 34.5 us, 4.9 sy, 0.0 ni, 58.9 id, 0.0 wa, 0.0 hi, 1.7 si, 0.0 st
KiB Mem : 2047960 total, 662668 free, 936364 used, 448928 buff/cache
KiB Swap: 4194296 total, 4011780 free, 182516 used. 903000 avail Mem
The version of tshark:
$ tshark -v
Running as user "root" and group "root". This could be dangerous.
TShark (Wireshark) 2.6.10 (Git v2.6.10 packaged as 2.6.10-1~ubuntu16.04.0)
Copyright 1998-2019 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.48.2, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.2.4, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT Kerberos, with MaxMind DB
resolver, with nghttp2 1.7.1, with LZ4, with Snappy, with libxml2 2.9.3.
Running on Linux 4.4.0-193-generic, with AMD Ryzen 9 3900X 12-Core Processor
(with SSE4.2), with 1999 MB of physical memory, with locale en_US, with
libpcap version 1.7.4, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with zlib 1.2.8,
binary plugins supported (13 loaded).
Built using gcc 5.4.0 20160609.
I'm wondering why this happened?
tsharkcallsdumpcapwhich useslibpcap- that's an error bubbled up from libpcapCan you add the output of
tshark -vto your question?Thanks for your reply, I have updated the output of
tshark -vNot always easy but if you could upgrade Wireshark and libpcap (Changelog)
There is a tshark '-B|--buffer-size' option.
The description in the man page seems very YMMV.
ok, I will try it.