This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I use wireshark on several computers, and for some reason I can't get it to work for more than a few minutes on a particular PC running XP, service pack 3. I tried 1.66 and today I installed 1.10.2, with the same results.

Thanks, Victor

asked 11 Oct '13, 14:49

vsabino's gravatar image

vsabino
16114
accept rate: 0%

edited 11 Oct '13, 14:50

Crashes when you capture? Crashes when you open trace files? Crash if you just open wireshark? I guess I would start by removing all vestiges of Wireshark (registry, profiles etc). Or create a new user and see if that helps. rule out the easier ones first before tackling NIC drivers etc.

(11 Oct '13, 17:54) hansangb

I use wireshark on several computers, and for some reason I can't get it to work for more than a few minutes on a particular PC

O.K. so, what is different with that PC? Different software on it (Firewall, Endpoint Security, AV, etc.), different set of malware infections, different set of drivers, etc. What can you rule out and what remains then?

(12 Oct '13, 10:34) Kurt Knochner ♦

Looks like another "it keeps crashing on capture" question to me.

(13 Oct '13, 22:28) Jasper ♦♦

Hi all,

some info on the PC (all the PCs I ran it on are configured the same way):

windows XP prof 2002 service pack 3

Microsoft security essentials: Antimalware Client Version: 4.1.522.0 Engine Version: 1.1.9901.0 Antivirus definition: 1.159.2116.0 Antispyware definition: 1.159.2116.0

Intel Xeon, 2.33 GHz, 2GB RAM

it is at a remote location, I VPN into it. generally wireshark runs for about 15 - 45 minutes before crashing.

I'm not logging tremendous amount of traffic. There are a few packets per second, and bursts of maybe 20 packets per second when we collect data every 5 - 10 minutes.

(14 Oct '13, 07:41) vsabino

Intel Xeon, 2.33 GHz, 2GB RAM
it is at a remote location, I VPN into it. generally wireshark runs for about 15 - 45 minutes before crashing.

O.K. 2 GByte is not much, especially if you connect via RDP (through the VPN tunnel) and don't add a capture filter to ignore the RDP traffic (Capture filter: not port 3389).

The RDP screen updates will create a feed-back loop like this: Wireshark screen gets updated due to new packets, this creates RDP traffic (screen update), which creates new packets, which creates Wireshark screen updates, and so on.

Same, if you use any other remote Desktop solution.

See the many other questions about RAM problems and the solutions.

http://ask.wireshark.org/questions/25343/wireshark-takes-all-ram
http://wiki.wireshark.org/KnownBugs/OutOfMemory
http://blog.packet-foo.com/2013/05/the-notorious-wireshark-out-of-memory-problem/

General soultion: Use dumpcap instead of Wireshark to capture traffic (see the links above).

++ UPDATE ++

I'm not logging tremendous amount of traffic. There are a few packets per second, and bursts of maybe 20 packets per second when we collect data every 5 - 10 minutes.

Did you check the RDP feedback problem I mentioned above. Maybe that's much more traffic than you expect.

it is at a remote location, I VPN into it.

But maybe you get hit by a GTK problem (possibly in conjunction with RDP)

http://ask.wireshark.org/questions/19852/wireshark-eats-up-memory-at-an-alarming-rate-for-version-after-165
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8281

Can you please try the latest development build and report back the results?

http://www.wireshark.org/download/automated/win32/Wireshark-win32-1.11.0-SVN-52597.exe

Or if that does not help, you could try to run Wireshark 1.6.5 (not 1.6.6) as there is a comment in bug 8281:

Cite:

Additional evidence that this is a GTK bug: I tried back releases of Wireshark.  The problem appears to have started with Wireshark release 1.6.6.  Release 1.6.6 was the first to use GTK 2.24.10.  Wireshark release 1.6.5 does not have this problem.  It uses GTK 2.22.1.

Regards
Kurt

permanent link

answered 14 Oct '13, 08:13

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 14 Oct '13, 08:52

Hi Kurt,

I tried dumpcap, and so far it works!! For some reason on this particular PC the regular wireshark does not work, but dumpcap did the job! I left the regular wireshark running overnight on one PC and the dumpcap on another, checked this morning and both were still running.

To respond to your comments on the RDP feed-back loop, i don't have the VPN and RDP sessions continously. I only VPN and then RDP once in a while when I want to check things. I always found that wireshark had crashed before I logged in.

Anyway, thanks for your suggestion on dumpcap!!

Victor

(15 Oct '13, 08:04) vsabino
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×13

question asked: 11 Oct '13, 14:49

question was seen: 2,651 times

last updated: 15 Oct '13, 08:04

p​o​w​e​r​e​d by O​S​Q​A