Hello, I use wireshark on several computers, and for some reason I can't get it to work for more than a few minutes on a particular PC running XP, service pack 3. I tried 1.66 and today I installed 1.10.2, with the same results. Thanks, Victor asked 11 Oct '13, 14:49  vsabino edited 11 Oct '13, 14:50 |
One Answer:
O.K. 2 GByte is not much, especially if you connect via RDP (through the VPN tunnel) and don't add a capture filter to ignore the RDP traffic (Capture filter: not port 3389). The RDP screen updates will create a feed-back loop like this: Wireshark screen gets updated due to new packets, this creates RDP traffic (screen update), which creates new packets, which creates Wireshark screen updates, and so on. Same, if you use any other remote Desktop solution. See the many other questions about RAM problems and the solutions.
General soultion: Use dumpcap instead of Wireshark to capture traffic (see the links above). ++ UPDATE ++
Did you check the RDP feedback problem I mentioned above. Maybe that's much more traffic than you expect.
But maybe you get hit by a GTK problem (possibly in conjunction with RDP)
Can you please try the latest development build and report back the results?
Or if that does not help, you could try to run Wireshark 1.6.5 (not 1.6.6) as there is a comment in bug 8281: Cite: Regards answered 14 Oct '13, 08:13  Kurt Knochner ♦ edited 14 Oct '13, 08:52 Hi Kurt, I tried dumpcap, and so far it works!! For some reason on this particular PC the regular wireshark does not work, but dumpcap did the job! I left the regular wireshark running overnight on one PC and the dumpcap on another, checked this morning and both were still running. To respond to your comments on the RDP feed-back loop, i don't have the VPN and RDP sessions continously. I only VPN and then RDP once in a while when I want to check things. I always found that wireshark had crashed before I logged in. Anyway, thanks for your suggestion on dumpcap!! Victor (15 Oct '13, 08:04) vsabino |
Crashes when you capture? Crashes when you open trace files? Crash if you just open wireshark? I guess I would start by removing all vestiges of Wireshark (registry, profiles etc). Or create a new user and see if that helps. rule out the easier ones first before tackling NIC drivers etc.
O.K. so, what is different with that PC? Different software on it (Firewall, Endpoint Security, AV, etc.), different set of malware infections, different set of drivers, etc. What can you rule out and what remains then?
Looks like another "it keeps crashing on capture" question to me.
Hi all,
some info on the PC (all the PCs I ran it on are configured the same way):
windows XP prof 2002 service pack 3
Microsoft security essentials: Antimalware Client Version: 4.1.522.0 Engine Version: 1.1.9901.0 Antivirus definition: 1.159.2116.0 Antispyware definition: 1.159.2116.0
Intel Xeon, 2.33 GHz, 2GB RAM
it is at a remote location, I VPN into it. generally wireshark runs for about 15 - 45 minutes before crashing.
I'm not logging tremendous amount of traffic. There are a few packets per second, and bursts of maybe 20 packets per second when we collect data every 5 - 10 minutes.