This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark can’t capture packets after a DDOS attack

The OS is windows 2003 SP2 The version of wireshark is 1.0.7 and the winpcap is the default one which follows with wireshark.

The problem is that wireshark will not work after a ddos attack(larger thant 1Gb/s 100,000packets/s). When I click the capture button a error form shows: "The capture session could not be initiated (driver error: not enough memory to allocate the kernel buffer)." I must restart the OS to let it work correctly again.

I want to know which cause this phenomenon and if there is a way to resolve this problem whiout restarting the system. Thank you.

ddos

asked 05 Jun '11, 07:04

wangxr1985
16●1●1●2
accept rate: 0%

Thank you. But both reinstalling wireshark/winpcap and reloading NPF driver have no effect.Wireshark still shows the same error message when I click the capture button.

(05 Jun '11, 21:49) wangxr1985

Disabling and re-enabling the network card needs to restart the server. I try to do that by a batch file: (devcon disable XXX && devcon enable XXX). But it let me reboot the system: "Not all of 1 device(s) disabled, at least one requires reboot to complete the operation." Changing the swap file need a rebooting,too.

So I can't confirm whether these methods will resolve my problem,because the phenomenon will also disappear after rebooting even if I do nothing about it.

So can anyone give me a method which don't need to reboot the system?

(06 Jun '11, 18:40) wangxr1985

5 Answers:

You might try reloading the NPF driver using net stop npf followed by net start npf, although it sounds like you may not have enough available kernel memory to start a capture.

Edit: Someone more knowledgeable than I suggested disabling and re-enabling your network card(s).

answered 05 Jun '11, 11:26

Gerald Combs ♦♦
3.3k●9●22●58
accept rate: 24%

edited 06 Jun '11, 08:55

1	Now I have Disabled and re-enabled the network card by using command "netsh" , but the problem is still there. answered 06 Jun '11, 21:39 wangxr1985 16●1●1●2 accept rate: 0%

I would uninstall wireshark and winpcap, and reinstall them. Also, I would delete any temporary internet files. You can do these things without rebooting.
To gain more memory I would increase the swap file size, but this will require a reboot. I would check the event logs for any additional information about the problem also. DDoS attacks are difficult by nature to avoid. However, I've read recently Cisco has released RTBH, Remotely Triggered Black Holing, as a method of managing those kinds of attacks.

Best of luck, John

answered 05 Jun '11, 11:12

John_Modlin
120●5
accept rate: 0%

It sounds as though the DDoS flooded your memory, which then overflowed to the.swap file, and may have corrupted it. If you have a 2nd hard drive installed or another partition on the existing hard drive you can add another swapfile. Http://support.microsoft.com/kb/307886

This will require a reboot to become effective, but only once.

Also, you could run ccleaner to cleanup the system and check/correct the registry, just be sure to let it back your registry up first. This does not require a reboot. Ccleaner is a free download.

Hope this helps John

answered 06 Jun '11, 04:39

John_Modlin
120●5
accept rate: 0%

0	You can also try upgrading your nic driver to the latest one from the nic manufacturer. Your nic will rebind during the update and this will not require a reboot. answered 07 Jun '11, 05:59 John_Modlin 120●5 accept rate: 0%