Wireshark-bugs: [Wireshark-bugs] [Bug 5979] 64-bit Wireshark appears to hit 2-Gbyte memory limit
Date: Wed, 1 Jun 2011 06:44:21 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5979

Jeff Morriss <[email protected]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[email protected]
            Summary|Wireshark crashes when      |64-bit Wireshark appears to
                   |running over night          |hit 2-Gbyte memory limit on
                   |(collecting lot of data)    |64-bit Windows

--- Comment #2 from Jeff Morriss <[email protected]> 2011-06-01 06:44:19 PDT ---
(In reply to comment #0)
> First i had an old version 1.2.x installed. There was the same problem.
> Now i installed latest version, i found yesterday (1.4.6), i took x64
> version, but got the same problem this morning. It looks like memory is 
> running out.

This is a known problem, see:

http://wiki.wireshark.org/KnownBugs/OutOfMemory

> Just some calculation: It looks like wireshark needs 4 MByte each minute.
> I have 16 GBytes, so it should take 66 hours to fill complete memory.
> But this happens earlier.
> Perhaps there is 2 GByte limit, that it would be around 8 hours.
> This i can think could be valid.

There have been some reports of having a 2-Gbyte limit in 64-bit Windoze, for
example:

http://ask.wireshark.org/questions/3592/why-is-there-a-2gb-file-size-limit-on-x64-win7-with-4gb-ram

That despite the fact that Wireshark is supposed to be compiled in such a way
as to allow using the full 64-bit address space.

Changing this bug to follow this issue (since I can't find any other bugs about
it now).

> In my opinion crashing is the worst reaction. I have no trace at all.
> Perhaps it is better to stop monitoring and tell the user that memory is full.

There is code in Wireshark to prevent the crashes, but, as the above wiki
article explains, when it runs out of memory in one of the supporting
libraries, we can't do much about it.

Note, though, that the temporary trace file still exists, see the end of the
answer to this FAQ:

http://www.wireshark.org/faq.html#q7.12

> Additional ideas:
> 
> I don't know if it is possible or already implemented:
> I would also be nice to e.g. give wireshark x GB of memory
> and collect data as a ring buffer. Oldest data is last, but you always get
> latest x GByte of trace when you stop capturing.

Wireshark already has a "ring buffer mode" (the "use multiple files" and "use
ring buffer" options in the Capture Options dialog).

> (But then perhaps also triggers would be nice, e.g. when a certain condition
> happens the capture is stopped, or stopped 1 minute later, or 1000 packets 
> later...)

The latter two options already exist. :-)

> Or would it be possible to write data continues to disk ?

Ring buffer mode can be used to capture continuously or to stop after some
period of time.  Really, for doing this kind of long-term capture, though,
Wireshark's dumpcap utility (which includes the ring-buffer functionality)
would be best.  It's lightweight and fast and its memory usage doesn't grow.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.