This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have installed wireshark on 2 computers, One is W-7 Pro sp-1 32 bit and the other is Windows XP Pro sp-3 32 bit. After a few minutes of capture, I receive an error message "This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team fro more information." I have setup wireshark to capture the local interface, use multiple files next every 1 megabyte and to stop the capture after 10 hours. I am saving the files to an external hard drive connected via USB.

I have seen that others are also having the error and that the work around is to use dumpcap. That doesn't really solve the issue.

I have tried using v 1.8.4 and 1.6.12 and get the same results.

It appears that wireshark is using increasingly more and more memory as it captures the data.

Is there a solution to the problem?

Thanks

asked 23 Jan '13, 07:02

bmerryusa's gravatar image

bmerryusa
11112
accept rate: 0%


Yes, use dumpcap. Wireshark (and to a lesser extent tshark) retain state even when using multiple files, and this will build up over time and cause the program to run out of memory.

permanent link

answered 23 Jan '13, 07:13

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

I switched back to 1.6.5 and the memory loss is much slower allowing me time to get the captures I need. Is there a way to keep Wireshark from retaining state? This seems to be a severe limitation. When I have a bit of time, I will see if I can get dumpcap to do the job.

Thanks

(24 Jan '13, 12:14) bmerryusa

Unfortunately Wireshark needs to build up state info to be able to offer such things as conversation tracking.

Wireshark itself uses dumpcap to capture traffic, so you won't be losing any features by using it.

(24 Jan '13, 13:20) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×17

question asked: 23 Jan '13, 07:02

question was seen: 4,166 times

last updated: 24 Jan '13, 13:20

p​o​w​e​r​e​d by O​S​Q​A