Hi,
On Fri, 19 Feb 2010 14:35:38 +0200, Boaz Galil <boaz20@xxxxxxxxx> wrote:
> Guy, Is there a way to know when the machine will run out of memory?
> (for example running Tshark for 1 hour = leak XMB.. or something like
> that.)
Tshark doesn't leaking memory, if it did that would be in error. What it
does do is build up context, which expands in time, depending on the
traffic captured. Therefore also no consumption rate can be defined.
> tcpdump is not part of the wireshark package, is there any
> solution for long packet capture with wireshark package?
As stated, use dumpcap.
All this information can be read on the Wiki:
http://wiki.wireshark.org/KnownBugs/OutOfMemory
Thanks,
Jaap
> On Fri, Feb 19, 2010 at 2:14 AM, Guy Harris wrote:
>
> On Feb 18, 2010, at 4:06 PM, Bob Carlson wrote:
>
>> We have been trying to do a long running capture and we cannot keep
> Wireshark up and running. WS is up to date. We are monitoring 1 port and
> writing out 100MB files. Each file is filled in a 2-4 hours. WS will not
> stay up forever. It dies every so often. We are trying a larger buffer
> size.
> >
>> Are there any known issues?
>
> Other than "dissecting packets consumes memory, so if you use Wireshark
> or TShark to do a long running capture, you will eventually run out of
> memory and Wireshark/TShark will fail"?
>
> The way to avoid that issue is not to use Wireshark or TShark to do
> long-running captures, and to use dumpcap instead.