This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark crashes when left open for over 5 minutes on windows 7 64bit

0

Wireshark crashes after it's been capturing for approximately 5 or more minutes. I am running the latest version of it on windows 7 64bit ultimate. Does anyone have any ideas on what I could change to stop this? I have an issue on my network that occurs randomly so I need wireshark to run a lot longer than 5 minutes.

Thanks.

asked 30 Jun '11, 08:17

digtial911's gravatar image

digtial911
1112
accept rate: 0%


One Answer:

3

Maybe you're capturing very large amounts of frames or bytes, which might crash Wireshark after a while. Have you tried saving your captured frames into multiple files? You can do that by using the capture options dialog (second button from the left on the main tool bar).

Otherwise I'd try capturing with dumpcap directly, which is installed in the same directory as Wireshark. You can use the -D parameter to get a list of all interfaces, and then use the index number of the one you want like this: editcap -i <interface-id> -w <filename>. You can also tell dumpcap to capture to multiple files by using the -b parameter.

answered 30 Jun '11, 08:22

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

The error message is "Microsoft visual C++ runtime library, this application has requested the runtime to terminate in an unusual way. Please contact the applications support team for more information"

Is there anyway to automate your proposed solution of saving small capture files? I need wireshark to be running around the clock to catch a random event occurring on our network. Is there something else that I could use other than wireshark???

(30 Jun '11, 09:02) digtial911
1

As Jasper has said, what you really want to do is capture the traffic first using the simplest way possible, i.e. dumpcap, this doesn't dissect the traffic, so doesn't build up memory usage over time leading to an out of memory condition. See the dumpcap man page for more info: http://www.wireshark.org/docs/man-pages/dumpcap.html

You can then user Wireshark (or tshark) to examine the capture files to find your network anomaly.

(30 Jun '11, 09:29) grahamb ♦

Got it, I understand now. I am trying it now. Thanks

(30 Jun '11, 10:25) digtial911

Note that you'd need to have dumpcap save to multiple files; if you save to a single file, you'd have the same Wireshark out-of-memory problem reading that file that you'd have if you'd done the capturing with Wireshark capturing to a single file.

(30 Jun '11, 10:29) Guy Harris ♦♦

Note also that if this is a 64-bit version of Wireshark, it's a lot less likely to have out-of-memory problems; there could well be a Wireshark bug that's causing the crash, in which case attempting to read a packet of the sort that caused the crash could also cause a crash.

(30 Jun '11, 10:30) Guy Harris ♦♦

Do you have the syntax for splitting the output file into multiple files? I don't see it in the dumpcap.html page.

(30 Jun '11, 10:44) digtial911
1

It's the "ring buffer" option, -b. Use "-b filesize:N" to set the maximum size of each file, and don't use the "-b files:N" option, as that sets the maximum number of files, so you'll only have the last N files in that case.

(30 Jun '11, 10:49) Guy Harris ♦♦

Thanks very much Jasper - I had the same issue as the OP but using dumpcap directly works just fine. :)

(28 Nov '12, 06:47) Jezz
showing 5 of 8 show 3 more comments