Wireshark-users: Re: [Wireshark-users] Reliability?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 19 Feb 2010 11:07:09 -0800
On Feb 19, 2010, at 5:04 AM, Jaap Keuter wrote:

> Tshark doesn't leaking memory, if it did that would be in error. What it
> does do is build up context, which expands in time, depending on the
> traffic captured.

Well, *some* of the information it builds up isn't necessary in a one-pass program such as TShark; if it reassembles packets, there's no need for the reassembled packet data once all the packets that contain data from it are dissected.

However, it'd take some work to free that up when it's done.  I *suspect* that's one of the main reasons why TShark accumulates memory.

If TShark is being used in a way where it doesn't dissect packets - e.g., if it's saving to a file, not dissecting the packets as it does so, and not using a read filter - it shouldn't accumulate memory.  However, in that case, it should largely just be running as a front end to dumpcap.

(Note that tcpdump *also* accumulates memory if you're capturing and dissecting rather than saving to a file; it keeps state information in order to print relative sequence numbers for TCP.  If you're saving to a binary capture file, using the "-w" flag, it shouldn't accumulate memory.)