Wireshark-users: Re: [Wireshark-users] Possible memory leak using Lua script
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Tue, 08 Oct 2013 13:37:30 -0400
On 10/07/13 12:29, Javi Gallart wrote:
Hello

I am using a Lua script the extracts and writes to disk files from a
packet. When running in "realtime" everything goes smoothly but the
memory usage keeps growing until we have to restart everithing. So all
points to a memerory leak somehwere. We are tapping sigtran traffic.

Have you read this article? Chances are you're not looking at a leak at all:

http://wiki.wireshark.org/KnownBugs/OutOfMemory

Runnning with Valgring as recommended here
(http://wiki.wireshark.org/Development/Tips) I obtained this:

  Invalid read of size 4
     at 0x65E1D18: mtp3_addr_to_str_buf (in
/usr/lib64/libwireshark.so.3.1.1)
     by 0x619F303: address_to_str_buf (in /usr/lib64/libwireshark.so.3.1.1)
     by 0x619F6A5: ??? (in /usr/lib64/libwireshark.so.3.1.1)
     by 0x619DC64: ??? (in /usr/lib64/libwireshark.so.3.1.1)
     by 0x61A3884: ??? (in /usr/lib64/libwireshark.so.3.1.1)
     by 0x61A5C51: col_fill_in (in /usr/lib64/libwireshark.so.3.1.1)
     by 0x1211F5: ??? (in /usr/sbin/tshark)
     by 0x122A11: ??? (in /usr/sbin/tshark)
     by 0x114CC4: ??? (in /usr/sbin/tshark)
     by 0x9DA9B74: (below main) (in /usr/lib64/libc-2.17.so)
   Address 0x13886f54 is 4 bytes inside a block of size 28 free'd
[...]
  LEAK SUMMARY:
     definitely lost: 2,586,839 bytes in 151,327 blocks
[...]
Should I assume that there is a leak in mtp3_addr_to_str_buf function?

No, that's a memory use after the memory in question was freed (very different from a leak). That was fixed via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8247; that fix is in the 1.10.x stable versions but not earlier versions.

That Valgrind does show ~2 Mb of leaked memory though I think that's pretty usual in the current stable branch--a lot of shutdown-related memory leaks have been fixed in the current development version.