Dumpcap – Ram still reserved after stop

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Dumpcap – Ram still reserved after stop was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, wireshark, , , .

System: Win 10 Pro and latest updates (Sept. 2020) 64Bit.

Problem: Using dumpcap (Dumpcap (Wireshark) 3.2.5 (v3.2.5-0-ged20ddea8138)) with a ringbuffer reserves RAM even after closing the dumpcap.exe. The PC needs to be restarted to free the mem. Login off doesn’t do it.

Dumpcap command:

Exe: C:Program FilesWiresharkdumpcap.exe

Arguments: -i “Interface” -w “ValidLogFolder” -b files:20 -b filesize:600

Filesize does not really mather, even with a 2GByte Filesize i get the same behaviour. I chekced if i have files * filesize * [KByte] ram free. The data is saved on a ssd.

Before starting the dumpcap.exe the RAM usage is around 4GByte. When i let it run (10Gbit Interface with 8Gbit/s traffic) the usage crawls up. In the following picture is the RAM usage after i stopped the dumpcap.exe. The usage stays where i stop the dumpcap.

enter image description here

Also, the ringbuffer is not overwriting existing files, its adding new files. I Tried canging the order of the commands.

What is going on here?

I want to make a ringbuffer to make a long term monitoring of the massive traffic.

I opened an issue on Gitlab:

The problem was with the npcap driver 0.9994. To quote the answer from GitLAB:

Yes previous versions of Npcap were leaking memory. They are hopefully
fixed with 0.9997… We currently ship Npap 0.9997 in our Wireshark
3.3.0 development snapshots and we will bundle it in Wireshark 3.2.7.

Leave a Reply

Your email address will not be published.