This is a static archive of our old Q&A Site. Please post any new questions and answers at

Wireshark core dump while dissecting http traffic capture


Hi all,

I'm using wireshark to decode traffic captures in order to login requests/answers from a web service.

My current version is:

bash-3.00$ /usr/local/bin/tshark -v TShark 1.6.4 (SVN Rev Unknown from unknown)

Copyright 1998-2011 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GLib 2.25.13, with libpcap 1.1.1, with libz 1.2.5, without POSIX capabilities, without libpcre, without SMI, without c-ares, with ADNS, without Lua, without Python, with GnuTLS 2.8.6, with Gcrypt 1.4.6, without Kerberos, with GeoIP.

Running on SunOS 5.10, with libpcap version 1.1.1, with libz 1.2.3.

Built using gcc 3.4.6.

The core dump occurs for most of my capture files (snoop on solaris 10).

For example:

bash-3.00$ /usr/local/bin/tshark -o tcp.check_checksum:false -r teste.cap -V -d tcp.port==10010,http

(Ultra cool dissecting for some thousands http posts)

And then:

[Malformed Packet: T.38] [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)] [Message: Malformed Packet (Exception occurred)] [Severity level: Error] [Group: Malformed]

Bus Error (core dumped)

Anyone has any ideas on how to try to solve this problem? Even if the dump contains some malformed packets, is it possible to ignore and continue?



asked 13 Apr '12, 11:00

Alexandre%20Vieira's gravatar image

Alexandre Vi...
accept rate: 0%

2 Answers:


The core dump means there's a bug in that version of TShark. TShark doesn't deliberately panic when it sees malformed packets; there's probably code that's not being sufficiently cautious about the packet data it's parsing.

If you have a debugger (gdb or dbx or lldb or...), try running the debugger with the TShark binary and the core dump file, and get a stack trace from the crash. Then file a bug on the Wireshark bugzilla, and attach the stack trace. (Do NOT attach the core dump file - it's large and won't be useful except on a Solaris 10 machine with the same instruction set architecture and the same binary of TShark, and most of us probably won't have that.)

answered 13 Apr '12, 11:38

Guy%20Harris's gravatar image

Guy Harris ♦♦
accept rate: 19%


In most of the cases I use tcpdump, tshark or wireshark. But these tools were not sufficient in all cases. So I looked out for other tools and it seems I found a very cool console based network sniffer for analyzing HTTP traffic on linux: justniffer.

answered 11 May '12, 03:23

Augustyn2's gravatar image

accept rate: 0%