This is our old Q&A Site. Please post any new questions and answers at

On Mac OS X 10.6.8, WireShark 1.8.1 will crash with "Duplicate protocol name":

$ wireshark 
2012-07-30 11:54:01.134 defaults[766:903] 
The domain/default pair of (kCFPreferencesAnyApplication, AppleAquaColorVariant) does not exist
2012-07-30 11:54:01.143 defaults[767:903] 
The domain/default pair of (kCFPreferencesAnyApplication, AppleHighlightColor) does not exist

(process:756): Gtk-WARNING **: Locale not supported by C library.
    Using the fallback 'C' locale.
Xlib:  extension "RANDR" missing on display "/tmp/launch-LsbeDg/org.x:0".

(wireshark-bin:756): Gtk-WARNING **: Unable to locate theme engine in module_path: "clearlooks",
11:54:01          Err  Duplicate protocol name "Coseventcomm Dissector Using GIOP API"! This might be caused by an inappropriate plugin or a development error.
Trace/BPT trap

How to fix this? I've uninstalled, restarted, and reinstalled.

asked 30 Jul '12, 11:01

paleozogt's gravatar image

accept rate: 0%

edited 30 Jul '12, 11:05

air:~ nate$ rm -rf /Applications/*

air:~ nate$ rm -rf /Applications/*

air:~ nate$ rm -rf /Applications/*

air:~ nate$ rm -rf /Applications/*

air:~ nate$ rm -rf /Applications/*

fixt it for me

a 'locate giop' provided no results, and there was no giop plugin...


permanent link

answered 23 Aug '12, 00:01

natenate19's gravatar image

accept rate: 0%

GIOP is the CORBA General Inter-ORB Protocol; Wireshark's dissector for it is built-in. The offending plugins (except for SERCOS III) are for protocols implemented atop GIOP/IIOP (just as, say, NFS is implemented atop ONC RPC). They were converted to built-in dissectors in Wireshark 1.8; as the Wireshark installer doesn't get rid of old plugins, if you install 1.8.x on top of a system with an earlier Wireshark version, you may end up with a Wireshark with a built-in and a plugin dissector for the same protocol, and hilarity ensues.

(24 Aug '12, 19:47) Guy Harris ♦♦

I had to rm -rf /Applications/* as well, but after that it launches.

(18 Jun '13, 04:04) MagerValp

There's probably a plugin left over from an earlier installation (maybe you installed over an old version?). See bug 7401 and this email thread on the -users list.

(BTW, yes, you should presumably be allowed to install over the old version but the bug is still open.)

permanent link

answered 30 Jul '12, 14:12

JeffMorriss's gravatar image

JeffMorriss ♦
accept rate: 27%

It's unclear what I should delete. I've already deleted /Applications/Wireshark, /Library/Wireshark, and /Library/StartupItems/ChmodBPF (as mentioned in 'Read me first.rtf') and reinstalled. Is there some other place that plugins are kept?

(30 Jul '12, 14:23) paleozogt

The email thread I referenced also talks about /Applications/ -- maybe that's it? (Sorry, I don't know a lot about Macs.)

~/.wireshark/plugins (your personal plugins directory) is another possibility, but it seems unlikely you'd have that plugin copied there.

(30 Jul '12, 14:33) JeffMorriss ♦

/Applications/ is the Wireshark app bundle; it would include the plugins that ship with Wireshark. Removing it should be sufficient.

I'm not sure what /Library/Wireshark is for.

/Library/StartupItems/ChmodBPF is just the startup item that makes the BPF devices accessible to the access_bpf group; there's not much need to remove it (it also lets you capture with tcpdump and so on - it's also distributed with the libpcap source).

(24 Aug '12, 19:50) Guy Harris ♦♦

please run Wireshark with dtruss.

dtruss -f -t open wireshark

Then check if the same plugin get's loaded from different locations. See man page of dtruss for more information.


permanent link

answered 30 Jul '12, 14:58

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 30 Jul '12, 14:58

dtruss outputs that its opening some of its own helpers, its dylibs, fork, and /usr/local/lib/wireshark and then nothing.

(30 Jul '12, 15:00) paleozogt

can you please run dtruss without "-t open" and post the output on

(30 Jul '12, 15:02) Kurt Knochner ♦

Do you get the same message if you run tshark? If so, please do the same for tshark?

dtruss -a -f tshark

(30 Jul '12, 15:11) Kurt Knochner ♦

tshark crashes just like wireshark does, but the dtruss output seems different:

(30 Jul '12, 15:15) paleozogt

still not what I expected :-) Both Wireshark and tshark are just shell scripts and dtruss does not follow the call of those script (for whatever reason).

So, we need to run dtruss with the real tshark binary. To figure out what is really called, I need the output of this:

sh -x /usr/local/bin/tshark

BTW: is ktrace available on your system?

(30 Jul '12, 15:23) Kurt Knochner ♦
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 30 Jul '12, 11:01

question was seen: 5,087 times

last updated: 18 Jun '13, 04:04

p​o​w​e​r​e​d by O​S​Q​A