Ask Your Question
0

Long running tshark process and "-M" flag

asked 2025-03-06 13:31:01 +0000

yurac777 gravatar image

I have a long running tshark process where I feed packets through pipe. I would expect that when the "-M 10000" flag is in use, tshark memory usage should remain stable. However tshark memory usage (RSS) keeps growing indefinitely and linearly

edit retag flag offensive close merge delete

Comments

Please update question with output of tshark -v

Chuckc gravatar imageChuckc ( 2025-03-06 13:37:49 +0000 )edit

Are you logging stderr?
fprintf(stderr, "resetting session.\n");

C:\Users\wireshark>"c:\Program Files\Wireshark\tshark.exe" -i 4 -M 5
Capturing on 'Wi-Fi'
    1   0.000000 ...
    2   0.033292 ...
    3   0.242135 ...
    4   0.244390  ...
    5   0.245864 ...
resetting session.
    1   0.272589  ...
Chuckc gravatar imageChuckc ( 2025-03-06 13:47:17 +0000 )edit

Will update the output of "-v" soon. Yes, I periodically see "resetting session". Still RSS keeps growing

yurac777 gravatar imageyurac777 ( 2025-03-06 13:58:22 +0000 )edit

Output of "tshark -v":

Running as user "root" and group "root". This could be dangerous.
TShark (Wireshark) 4.5.0 (v4.5.0rc0-1486-ge96a549269cc).

Copyright 1998-2025 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compile-time info:
 Bit width: 64-bit
  Compiler: GCC 11.4.0
      GLib: 2.72.4
 With:
  +Gcrypt 1.9.4              +libpcap                   +PCRE2 10.39 2021-10-29
  +GnuTLS 3.7.3 and PKCS#11  +libxml2 2.9.13            +zlib 1.2.11
 Without:
  -brotli              -LZ4                 -Snappy
  -Kerberos            -MaxMind             -zlib-ng
  -libnl               -nghttp2             -Zstandard
  -libsmi              -nghttp3
  -Lua                 -POSIX capabilities

Runtime info:
      OS: Linux 6.5.0-1027-oem
     CPU: 13th Gen Intel(R) Core(TM) i7-1370P (with SSE4.2)
  Memory: 63940 MB of physical memory ...
(more)
yurac777 gravatar imageyurac777 ( 2025-03-06 16:18:50 +0000 )edit

Have you looked at using the -b flag?

See: https://blog.wireshark.org/2014/07/to...

cmaynard gravatar imagecmaynard ( 2025-03-06 18:17:20 +0000 )edit
see more comments

1 Answer

Sort by ยป oldest newest most voted
0

answered 2025-03-06 17:06:21 +0000

Chuckc gravatar image

15229: Tshark consumes a lot of memory during a continuous live capture
I don't see any open issues to improve this. Code seems the same as when added:
dd884611: Auto reset epan session
Unfortunately it was done before the migration to gitlab so there are no comments/discussion about desired results.

The tshark "about" info shows it running as root. Can be done as non-root: Blog: Running Wireshark as You

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2025-03-06 13:31:01 +0000

Seen: 14 times

Last updated: 2 hours ago

Related questions

How can I delete first n number of frames from memory in tshark

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt