locked
Network Monitor memory use on a long capture RRS feed

  • Question

  • Here is my situation...

    I am having a very random error on my network.  To diagnose, I have a computer setup that I want to do a long (24-48 hour) capture.  This PC is an i5 with 4GB RAM and a clean 750GB HD, so there should not be a resource issue.

    I have setup very specific capture filters, so it only captures about 50-100 packets/minute.  However, over about 30 min, my memory use on netmon.exe jumps from 80MB to over 1.3GB and then the application hangs.  Once that happens, my whole capture is gone.

    What suggestions do you have?

    Thanks!

    Wednesday, May 26, 2010 4:28 PM

All replies

  • For any long term captures, we recommend that you use NMCap instead of the UI.  Assuming your filter does not require conversations, NMCap should be able to run for a long time.  And filter for protocols TCP and beleive will most likely not require filters.  So for instance if you are looking to filter out TCP.Port==80 traffic, the NMCap command line would be:

    nmcap /network * /capture tcp.port==80 /file test.cap:500M /disableconversations

    This will capture with a 500 meg circular capture.  If you need more history you can use chain captures instead (test.chn:500M).

    The problem with running the UI is that it captures forever and never gets rid of conversation info.  Over time this eats up memory.  While you can disable conversation in the UI, NMCap has a lower memory footprint overall and is well suited to capturing for long periods.

    Let me know if you need more information.

    Thanks,

    Paul

    Wednesday, May 26, 2010 5:02 PM
  • In this case, I think you'd better use a network sniffer that support 7/24 capturing. Like Wireshark, Capsa,ect. I think that would be more helpful.
    Wednesday, June 9, 2010 2:52 AM
  • FYI: NMCap also supports 7/24 capturing.  As long as you disable converations when you are using a filter.

    Paul

    Wednesday, June 9, 2010 2:21 PM