-1

System: Win 10 Pro and latest updates (Sept. 2020) 64Bit.

Problem: Using dumpcap (Dumpcap (Wireshark) 3.2.5 (v3.2.5-0-ged20ddea8138)) with a ringbuffer reserves RAM even after closing the dumpcap.exe. The PC needs to be restarted to free the mem. Login off doesn't do it.

Dumpcap command:

Exe: C:\Program Files\Wireshark\dumpcap.exe

Arguments: -i "Interface" -w "ValidLogFolder" -b files:20 -b filesize:600

Filesize does not really mather, even with a 2GByte Filesize i get the same behaviour. I chekced if i have files * filesize * [KByte] ram free. The data is saved on a ssd.

Before starting the dumpcap.exe the RAM usage is around 4GByte. When i let it run (10Gbit Interface with 8Gbit/s traffic) the usage crawls up. In the following picture is the RAM usage after i stopped the dumpcap.exe. The usage stays where i stop the dumpcap.

enter image description here

Also, the ringbuffer is not overwriting existing files, its adding new files. I Tried canging the order of the commands.

What is going on here?

I want to make a ringbuffer to make a long term monitoring of the massive traffic.

Edit: I opened an issue on Gitlab: https://gitlab.com/wireshark/wireshark/-/issues/16846

Eggi
  • 109
  • 3
  • Search the Gitlab issues for a similar problem, and if you can't find one create one for this. https://gitlab.com/wireshark/wireshark/-/issues?label_name%5B%5D=cli%3A%3Adumpcap – Bert Sep 10 '20 at 15:25
  • Have you tried to restart the pcap service that does the actual traffic sniffing? – Robert Sep 10 '20 at 21:01
  • I'll look through the Gitlab and update the question. @Robert I haven't found dumpcap/wireshark in the processes list in the task manager and found no service called wireshark, dumpcap or pcap after creating the problem. Should it have another name? I looked through the running services and couldn't find one which sounds like it has an association with dumpcap. – Eggi Sep 14 '20 at 07:23
  • @Eggi npcap ist installed as drive hence it is not visible in the services list. However you can restart it via admin PowerShell: `Restart-Service npcap`. – Robert Sep 14 '20 at 07:42
  • @Robert Restart-Service npcap and Stop-Service npcap didn't free the memory. – Eggi Sep 14 '20 at 08:48
  • Ok to those downvoting this question: Can you at least tell me what I can improve for future questions? – Eggi Sep 14 '20 at 11:30

1 Answers1

1

The problem was with the npcap driver 0.9994. To quote the answer from GitLAB:

Yes previous versions of Npcap were leaking memory. They are hopefully fixed with 0.9997... We currently ship Npap 0.9997 in our Wireshark 3.3.0 development snapshots and we will bundle it in Wireshark 3.2.7.

Eggi
  • 109
  • 3