This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

mac crash with “Duplicate protocol name”

1

On Mac OS X 10.6.8, WireShark 1.8.1 will crash with "Duplicate protocol name":

$ wireshark 
2012-07-30 11:54:01.134 defaults[766:903] 
The domain/default pair of (kCFPreferencesAnyApplication, AppleAquaColorVariant) does not exist
2012-07-30 11:54:01.143 defaults[767:903] 
The domain/default pair of (kCFPreferencesAnyApplication, AppleHighlightColor) does not exist

(process:756): Gtk-WARNING **: Locale not supported by C library.
Using the fallback 'C' locale.
Xlib:  extension "RANDR" missing on display "/tmp/launch-LsbeDg/org.x:0".


(wireshark-bin:756): Gtk-WARNING **: Unable to locate theme engine in module_path: "clearlooks",
11:54:01          Err  Duplicate protocol name "Coseventcomm Dissector Using GIOP API"! This might be caused by an inappropriate plugin or a development error.
Trace/BPT trap

How to fix this? I’ve uninstalled, restarted, and reinstalled.

asked 30 Jul ‘12, 11:01

paleozogt's gravatar image

paleozogt
16113
accept rate: 0%

edited 30 Jul ‘12, 11:05

3 Answers:

1

air:~ nate$ rm -rf /Applications/Wireshark.app/Contents/Resources/lib/wireshark/plugins/coseventcomm.*

air:~ nate$ rm -rf /Applications/Wireshark.app/Contents/Resources/lib/wireshark/plugins/cosnaming.*

air:~ nate$ rm -rf /Applications/Wireshark.app/Contents/Resources/lib/wireshark/plugins/parlay.*

air:~ nate$ rm -rf /Applications/Wireshark.app/Contents/Resources/lib/wireshark/plugins/sercosiii.*

air:~ nate$ rm -rf /Applications/Wireshark.app/Contents/Resources/lib/wireshark/plugins/tango.*

fixt it for me

a 'locate giop' provided no results, and there was no giop plugin...

hm

answered 23 Aug '12, 00:01

natenate19's gravatar image

natenate19
311
accept rate: 0%

GIOP is the CORBA General Inter-ORB Protocol; Wireshark's dissector for it is built-in. The offending plugins (except for SERCOS III) are for protocols implemented atop GIOP/IIOP (just as, say, NFS is implemented atop ONC RPC). They were converted to built-in dissectors in Wireshark 1.8; as the Wireshark installer doesn't get rid of old plugins, if you install 1.8.x on top of a system with an earlier Wireshark version, you may end up with a Wireshark with a built-in and a plugin dissector for the same protocol, and hilarity ensues.

(24 Aug '12, 19:47) Guy Harris ♦♦

I had to rm -rf /Applications/Wireshark.app/Contents/Resources/lib/wireshark/plugins/interlink.* as well, but after that it launches.

(18 Jun '13, 04:04) MagerValp

0

There's probably a plugin left over from an earlier installation (maybe you installed over an old version?). See bug 7401 and this email thread on the -users list.

(BTW, yes, you should presumably be allowed to install over the old version but the bug is still open.)

answered 30 Jul '12, 14:12

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

It's unclear what I should delete. I've already deleted /Applications/Wireshark, /Library/Wireshark, and /Library/StartupItems/ChmodBPF (as mentioned in 'Read me first.rtf') and reinstalled. Is there some other place that plugins are kept?

(30 Jul '12, 14:23) paleozogt

The email thread I referenced also talks about /Applications/Wireshark.app -- maybe that's it? (Sorry, I don't know a lot about Macs.)

~/.wireshark/plugins (your personal plugins directory) is another possibility, but it seems unlikely you'd have that plugin copied there.

(30 Jul '12, 14:33) JeffMorriss ♦

/Applications/Wireshark.app is the Wireshark app bundle; it would include the plugins that ship with Wireshark. Removing it should be sufficient.

I'm not sure what /Library/Wireshark is for.

/Library/StartupItems/ChmodBPF is just the startup item that makes the BPF devices accessible to the access_bpf group; there's not much need to remove it (it also lets you capture with tcpdump and so on - it's also distributed with the libpcap source).

(24 Aug '12, 19:50) Guy Harris ♦♦

0

please run Wireshark with dtruss.

dtruss -f -t open wireshark

Then check if the same plugin get's loaded from different locations. See man page of dtruss for more information.

Regards
Kurt

answered 30 Jul '12, 14:58

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 30 Jul '12, 14:58

dtruss outputs that its opening some of its own helpers, its dylibs, fork, and /usr/local/lib/wireshark and then nothing.

(30 Jul '12, 15:00) paleozogt

can you please run dtruss without "-t open" and post the output on pastebin.com?

(30 Jul '12, 15:02) Kurt Knochner ♦

http://pastebin.com/kJNfV4d5

(30 Jul '12, 15:04) paleozogt

Do you get the same message if you run tshark? If so, please do the same for tshark?

dtruss -a -f tshark

(30 Jul '12, 15:11) Kurt Knochner ♦

tshark crashes just like wireshark does, but the dtruss output seems different: http://pastebin.com/BiXwVjFb

(30 Jul '12, 15:15) paleozogt

still not what I expected :-) Both Wireshark and tshark are just shell scripts and dtruss does not follow the call of those script (for whatever reason).

So, we need to run dtruss with the real tshark binary. To figure out what is really called, I need the output of this:

sh -x /usr/local/bin/tshark

BTW: is ktrace available on your system?

(30 Jul '12, 15:23) Kurt Knochner ♦
showing 5 of 6 show 1 more comments