Troubleshoot Tip: Stopping and restarting packet capture through the GUI continuously increases memory usage

AnthonyH · ‎07-18-2025

Description

This articles describes a known issue where creating and restarting multiple packet captures can cause an increase in memory.

Scope

FortiGate.

Solution

If multiple packet captures (a maximum of 6) have been created under Network -> Diagnostics -> Packet Capture -> New packet capture, discarding and restarting the captures can cause a gradual increase in memory usage.

At a base line, the FortiGate 61F used in this demonstration shows the memory usage at 63.8.%

get sys perf status
CPU states: 1% user 0% system 0% nice 99% idle 0% iowait 0% irq 0% softirq
CPU0 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU1 states: 1% user 0% system 0% nice 99% idle 0% iowait 0% irq 0% softirq
CPU2 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU3 states: 1% user 0% system 0% nice 99% idle 0% iowait 0% irq 0% softirq
CPU4 states: 2% user 0% system 0% nice 98% idle 0% iowait 0% irq 0% softirq
CPU5 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU6 states: 3% user 0% system 0% nice 97% idle 0% iowait 0% irq 0% softirq
CPU7 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
Memory: 1963616k total, 1251848k used (63.8%), 478904k free (24.4%), 232864k freeable (11.8%)
Average network usage: 459 / 454 kbps in 1 minute, 434 / 441 kbps in 10 minutes, 319 / 323 kbps in 30 minutes
Maximal network usage: 1344 / 1371 kbps in 1 minute, 3226 / 3097 kbps in 10 minutes, 3226 / 4985 kbps in 30 minutes
Average sessions: 106 sessions in 1 minute, 92 sessions in 10 minutes, 88 sessions in 30 minutes
Maximal sessions: 121 sessions in 1 minute, 121 sessions in 10 minutes, 121 sessions in 30 minutes
Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes
Maximal session setup rate: 6 sessions per second in last 1 minute, 11 sessions per second in last 10 minutes, 12 sessions per second in last 30 minutes
Average NPU sessions: 9 sessions in last 1 minute, 14 sessions in last 10 minutes, 11 sessions in last 30 minutes
Maximal NPU sessions: 12 sessions in last 1 minute, 25 sessions in last 10 minutes, 25 sessions in last 30 minutes
Average nTurbo sessions: 6 sessions in last 1 minute, 11 sessions in last 10 minutes, 8 sessions in last 30 minutes
Maximal nTurbo sessions: 8 sessions in last 1 minute, 20 sessions in last 10 minutes, 20 sessions in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 7 days, 22 hours, 39 minutes

diag sys top-mem
node (11540): 74448kB
ipsengine (360): 63384kB
ipsengine (361): 61639kB
wad (303): 31533kB
ipshelper (206): 26291kB
Top-5 memory used: 257295kB

After creating 6 packet captures (about 1% per capture):

diag sys top-mem
node (11540): 164880kB
ipsengine (360): 63329kB
ipsengine (361): 61756kB
wad (303): 31535kB
ipshelper (206): 26287kB
Top-5 memory used: 347787kB

After discarding and restarting can cause the node daemon to increase.

diag sys top-mem
node (11540): 244853kB
ipsengine (360): 63333kB
ipsengine (361): 61760kB
wad (303): 31539kB
ipshelper (206): 26640kB
Top-5 memory used: 428125kB

However, attempting to delete the packet captures will not release the node memory. Alternatively, restart the node process ID.

diag sys process pidof node
11540

diag sys kill 11 11540

Connection lost. Press Enter to start a new session.

diag sys top-mem
ipsengine (360): 63328kB
ipsengine (361): 61775kB
node (11801): 38094kB
wad (303): 31539kB
ipshelper (206): 26291kB
Top-5 memory used: 221027kB

This a known issue that is being addressed in FortiOS v7.4, v7.6.

Troubleshoot Tip: Stopping and restarting packet capture through the GUI continuously increases memory usage

You are leaving our website