tshark uses up all the space in /tmp

Bug #210670 reported by Martin Pool on 2008-04-02
Affects Status Importance Assigned to Milestone
wireshark (Debian)
wireshark (Ubuntu)

Bug Description

Binary package hint: wireshark

I ran "sudo tshark -p -i eth0 -R http.request" which prints requests to stdout.

This creates an enormous dump file in /tmp, which eventually used up all the space on that partition. It didn't give an error, it just stopped logging once it was full.

It would be nice if it either used a pipe, or rolled over the file every so often. The command makes no use of packets captured a long time ago.

Daniel T Chen (crimsun) wrote :

Is this symptom still reproducible in 8.04 or 8.10?

Changed in wireshark:
importance: Undecided → Low
status: New → Incomplete
Martin Pool (mbp) wrote :

Yes, it's still reproducible. Just run tshark then lsof and you'll see a regular tmpfile still in use.

Changed in wireshark:
status: Incomplete → Confirmed
Gerald Combs (gerald.combs) wrote :

TShark inherits that behavior from Wireshark (which _does_ let you go back in time). It probably shouldn't do that, but you can work around the problem using the ring buffer (-b) option: http://www.wireshark.org/docs/man-pages/tshark.html

Ken Sharp (kennybobs) wrote :

How is this a bug? The application is working as designed. Can this be closed?

Ken Sharp (kennybobs) wrote :

No answer in over a year, says it all. Application working as designed.

Changed in wireshark (Ubuntu):
status: Confirmed → Invalid
Martin Pool (mbp) on 2010-11-24
Changed in wireshark (Ubuntu):
status: Invalid → Confirmed
Martin Pool (mbp) wrote :

Ken, please don't close bugs when the bug still exists and the upstream maintainer has acknowledged "it probably shouldn't do that."

The reason it's a bug is pretty clear from the original report and the later comments: you run 'tshark' in a window to monitor traffic on the network. Some time later, tshark crashes and other parts of the system have trouble, because (on a default Ubuntu install) the root partition is now entirely full. There is no benefit to this behaviour and afaics no reason it needs to be implemented this way.

@Martin I agree but IMHO this bug should be reported upstream to wireshark developers, not downstream

Fowarded, please run apport-collect 210670

Balint Reczey (rbalint) wrote :

Martin: It is not a bug.
If you don't want to fill your partition, please check the -b option as Gerald already suggested.

Changed in wireshark:
importance: Unknown → High
status: Unknown → Invalid
Changed in wireshark (Debian):
status: Unknown → Confirmed
Logan Rosen (logan) on 2012-05-14
Changed in wireshark:
importance: High → Unknown
status: Invalid → Unknown
Changed in wireshark:
importance: Unknown → High
status: Unknown → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.