Wireshark-dev: Re: [Wireshark-dev] regarding memory failure in wireshark
From: Sake Blok <[email protected]>
Date: Fri, 14 Nov 2008 16:11:14 +0100
On Fri, Nov 14, 2008 at 02:21:06PM +0100, Speck, Michael wrote:
> Hi Prashanth,
> 
> AFAIK, Wireshark uses as much memory as it could allocate by your
> systems. 
> The longer Wireshark runs the more memory is used. 
> 
> There are several solutions:
> First, you could install more RAM to your PC and/or increase the size of
> virtual (swap) memory.

This will not scale ;-)

> A second option is to use more then one capture
> files in a ring buffer fashion limiting each file's size to a reasonable
> (for your system) length. This could be easily configured in Wiresharks
> capture start dialog.

Unfortunately wireshark will not flush state information when starting
to write to a new file. This means that you will still run out-of-memory
in the end.

> A third option would be to capture only some bytes
> of each packet, but that is often not a good idea, especially if you are
> interested in the packet data.

This will also not scale ;-)


A fourth option would be to use dumpcap with a ringbuffer to do the
capturing and use wireshark to analyse the files you are interested in.
See: http://www.lovemytool.com/blog/2008/07/ostu_dumpcap.html

In this setup your disk space is the only limiter to the amount of trace
data you can keep, but you can let it run forever (I have used it for
months in several occasions).

Hope this helps,
Cheers,
    Sake