This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

WireShark eats up memory at an alarming rate for version after 1.6.5

0

I've now tested 5 different version of WireShark on my Windows 2008 R2 Servers. The only version that I found to not eat up memory at an alarming rate is the 64 Bit of 1.6.5. I've tried 1.6.14, 1.8.2, 1.8.6 and they all are eating up memory at a crazy rate even when the packet rate is not that high. Eventually Wireshark will crash which is a know bug because it is running out of memory. My issue is the rate at which the newer version are eating up memory over version 1.6.5. Can anyone explain what has changed since 1.6.5 that would account for this or is this a bug?

asked 26 Mar '13, 12:39

rdoerr's gravatar image

rdoerr
1111
accept rate: 0%


One Answer:

0

Are you connecting with remote desktop to the Windows 2008 R2 server? You are likely hitting a memory leak in GTK2, the multi platform GUI toolkit used by Wireshark. See bug 8281 for details.

answered 26 Mar '13, 13:07

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

Yes, I am using Remote Desktop to connect to all of my WireShark machines. This afternoon I test all the versions of 1.6.5 up to 1.6.14 and here is what I figured out. The latest version that works without having the Memory Leak issue is 1.6.8. I was unable to test 1.6.9 since it failed to run after doing a fresh install. All version 1.6.10 through 1.6.14 all have the same Memory Leak issue. I read up on the bug 8281 that you reported above but still didn't see any fix or work around for this issue. I would think many people are using RDP on Windows 2008 R2.

Thanks

Ray

(26 Mar '13, 13:55) rdoerr

Unfortunately there is no fix available until we get a fixed GTK package (the 1.6.8 release is using GTK 2.24.10-20120208 while the 1.6.10 release is using version 2.24.10-2.7). In the meantime you can try using QTshark, or capture the pcap file with dumpcap/tshark and open it locally on your computer.

(26 Mar '13, 14:22) Pascal Quantin