This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark crashing

0

Hey All,

I am getting an issue with WireShark crashing after around 50 minutes of caputring.

I read some posts saying this was down to a memory issue but I have monitored the server and although memory consumption by wireshark reachs a few GB it nevers maxes out the available memory. I even tried having it split the captures into 10mb files and it still crashes around 50 minutes.

Anyone have any ideas what could be causing this issue?

I am monitring a HP Teamed Network, the server in question is a HP DL360 G7 and running windows 2008R2 SP1

Faulting application name: wireshark.exe, version: 1.8.6.48142, time stamp: 0x513791b6
Faulting module name: libglib-2.0-0.dll, version: 2.34.1.0, time stamp: 0x508d9e80
Exception code: 0x40000015
Fault offset: 0x00000000000509c2
Faulting process id: 0x2d34
Faulting application start time: 0x01ce428f5ce63f4a
Faulting application path: C:\Program Files\Wireshark\wireshark.exe
Faulting module path: C:\Program Files\Wireshark\libglib-2.0-0.dll
Report Id: a03eb28a-ae88-11e2-860e-ac162d6f982c

asked 26 Apr '13, 09:14

Steven576's gravatar image

Steven576
1111
accept rate: 0%

edited 26 Apr '13, 19:12

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

I have also tried running it on a different server and still experience the same issue.

(26 Apr '13, 09:19) Steven576

2 Answers:

1

If you are running 32 bit Wireshark, then like all 32 bit Windows programs it will be limited to the amount of memory it can use, even on a 64 bit OS. The executable is large memory aware, so on a properly configured 32 bit OS (using the /3GB boot flag) it may use up to 3GB, otherwise only 2GB. On a 64 bit OS it may use up to 4GB.

The 64 bit version of Wireshark may use up to 8TB.

As Jasper says, when large amounts of traffic are involved dumpcap should be used with multiple files (-b option). This is because Wireshark (and tshark) accumulate state information about conversations that cause them to run out of memory.

See this KB article for more info on process memory space.

answered 26 Apr '13, 09:38

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 26 Apr '13, 19:14

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

0

Yes, it looks like you encounter the Out-of-memory problem, see this Wiki page: http://wiki.wireshark.org/KnownBugs/OutOfMemory. Keep in mind that this problem cannot simply be fought by putting more memory in the PC - Wireshark will still into trouble. The only way to get around it is by not having Wireshark build up data structures of packets.

Try capturing using the command line tool dumpcap instead, you can find it in the Wireshark directory. "dumpcap -d" will give you a list of interfaces, "dumpcap -i INTERFACENO" will capture on that interface.

answered 26 Apr '13, 09:22

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 26 Apr '13, 09:32