I have installed wireshark on 2 computers, One is W-7 Pro sp-1 32 bit and the other is Windows XP Pro sp-3 32 bit. After a few minutes of capture, I receive an error message "This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team fro more information." I have setup wireshark to capture the local interface, use multiple files next every 1 megabyte and to stop the capture after 10 hours. I am saving the files to an external hard drive connected via USB. I have seen that others are also having the error and that the work around is to use dumpcap. That doesn't really solve the issue. I have tried using v 1.8.4 and 1.6.12 and get the same results. It appears that wireshark is using increasingly more and more memory as it captures the data. Is there a solution to the problem? Thanks asked 23 Jan '13, 07:02 bmerryusa |
One Answer:
Yes, use dumpcap. Wireshark (and to a lesser extent tshark) retain state even when using multiple files, and this will build up over time and cause the program to run out of memory. answered 23 Jan '13, 07:13 grahamb ♦ |
I switched back to 1.6.5 and the memory loss is much slower allowing me time to get the captures I need. Is there a way to keep Wireshark from retaining state? This seems to be a severe limitation. When I have a bit of time, I will see if I can get dumpcap to do the job.
Thanks
Unfortunately Wireshark needs to build up state info to be able to offer such things as conversation tracking.
Wireshark itself uses dumpcap to capture traffic, so you won't be losing any features by using it.