Hello, I am trying to perform FAST decoding in 32-bit wireshark on linux and the size of the pcap file is about 1.2MB (20,000 packets). I start decoding and I am able to decode part of the file but wireshark suddenly crashes and gets closed. As I used to be able to decode 100,000 packets and I am using the same machine and wireshark version, I am wondering what might be problem. I would appreciate if anyone could help me. Thanks, Farhad asked 05 Mar '13, 14:37 fhaghigh |
2 Answers:
It sounds like some specific data in the pcap is causuing Wireshark to crash. Can you file a bug report at bugs.wireshark.org and attach the capture file causing the crash ? (see below) (If necessary, you can mark the bug as private so that only the Wireshark core developers will be able to examine the capture file). Note: you may find it useful to "bisect" the file to find the frame(s) causing the error. You can use the command line tool editcap (part of the Wireshark package) to do this. See 'editcap -h" answered 05 Mar '13, 15:19 Bill Meier ♦♦ edited 05 Mar '13, 15:20 |
as discussed in your other FAST question, that dissector is an 'external' plugin and not part of Wireshark. There could be a bug in that plugin which causes Wireshark to crash. It's best to contact the developers of that plugin and ask for help. If you are able to post the capture file (google docs, dropbox, etc.), someone here may (or may not) be able to help you. Regards answered 05 Mar '13, 15:22 Kurt Knochner ♦ edited 05 Mar '13, 15:22 I'm not sure if it's because of the plugin. Could it because of wireshark running out of memory? I run it on a server and my guess is that it runs out of memory when many processes are running. (06 Mar '13, 06:22) fhaghigh hard to say without access to the capture file.... As you say it works with 100.000 packets but it does not work with 20.000 packets, I don't believe it's a memory problem. (06 Mar '13, 06:32) Kurt Knochner ♦ I just asked and unfortunately I cannot share the capture file. The reason i was suspicious about the memory is that last time I decoded 100,000 packets I was the only user using the server. (06 Mar '13, 06:38) fhaghigh
well, then I guess it will be hard to troubleshoot the issue externally. (06 Mar '13, 08:08) Kurt Knochner ♦ I found out the problem! there are packets inside the capture file that don't contain any stop bit, so the dissector crashes on them. It wasn't wireshark! Thanks for all the helps. (06 Mar '13, 14:20) fhaghigh |
Thanks for you answer. I will post in bugs.wireshark.org.