[Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>]

Will Cladek wrote:
> The following happens on both tshark 1.0.15 installed from Red Hat 
> package on CentOS 5 and 1.2.15 from package on CentOS 6.
>
> I am attempting to run tshark on a high-utilization link in a manner 
> that will print out, using display filters, the user agents of all HTTP 
> requests.  The first problem is that by default, tshark writes all raw 
> data to temporary capture files in /tmp, so if you leave it running 
> endlessly, it fills up all of the disk space on the system.  To resolve 
> this, I use the -b option to write to a few files of a set size which 
> are overwritten.
>
> With just the -b option, I can seemingly run tshark endlessly.  For 
> instance, I ran the following simple capture overnight:
>
> #> tshark -b filesize:100000 -b files:5 -w test.pcap -i eth4
>
> And came back the next morning with over a billion packets having been 
> processed, but no complaints.
>
> My problem comes when I throw in the -S option to print out the decoded 
> packets as well for my aforementioned purpose.  I run the following 
> command:
>
> #> tshark -S -b filesize:100000 -b files:5 -w test.pcap -i eth4 > /dev/null
>
> And every time, within a minute, tshark crashes with the message:
>
> tshark: The file "test_00005_20130111092347.pcap" doesn't exist.
>
> (The name of the .pcap file will obviously vary.)
>
> This is follwed by either "Segmentation fault" or something like "*** 
> glibc detected *** tshark: double free or corruption (fasttop): 
> 0x00002ba03da05de0 ***" followed by a printed out Backtrace.
>
> It appears that there is some kind of condition where tshark tries to 
> delete a ring buffer file that's already been deleted, and this only 
> occurs when the -S flag is used.

This is an old problem:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1650

Basically tshark isn't keeping up with the rate of traffic that dumpcap 
(the capture utility) is writing.  dumpcap has gotten N (in your case 5) 
files ahead of tshark and removed a file before tshark even got to it.

In other words: dumpcap is writing packets much faster than tshark is 
able to read and decode them and then print out the results of that decode.

One suggestion would be to avoid doing a full decode and print ("-S") 
but rather limit the decode output significantly ("tshark -T fields 
-ehttp.referer").  That might help.  You could also mess with process 
priorities and the like but I doubt that would buy you much.