This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark keeps crashing while doing RTP stream analysis

0

I am running Wireshark in Windows 7, running it under Windows XP sp3 Compatability mode and I am able to decode UDP to RTP, but when I try to do a stream analysis under Telephony/RTP it get half way through the process and the crashes. Do you have any insite to this issue?

asked 07 Jul '11, 11:58

GregForster's gravatar image

GregForster
1112
accept rate: 0%

edited 14 Jul '11, 01:42

Jaap's gravatar image

Jaap ♦
11.7k16101

Why do you run it in XP SP3 compatibility mode? Oh, and you should add information about what build you're running, and if it is x86 or x64.

(07 Jul '11, 12:41) Jasper ♦♦

And you should also report what size file you are loading/analyzing and how much memory your system has - both used and free while performing the stream analysis. You could be running into an out-of-memory problem.

(07 Jul '11, 19:38) cmaynard ♦♦

Well I originally ran it in normal Windows 7 mode but it crashed as well. It is build 1.6.0 and it is x86. The file I am analyzing is 24mb my system has 4gb(3.1gb usable).

(13 Jul '11, 12:50) GregForster

Possibly a bug ....

Something to try to get further info:

  1. Determine the number of frames in the capture.

  2. Do

    editcap -r <in-file> <outfile1> 1-a

    editcap -r <in-file> <outfile2> b-n

    to split the capture file into two parts;

    n =totalfnumber of frames;

    a = 1/2 n

    b = 1/2 n + 1;

  3. Try processing each of these files with Wireshark.

Do you still get the error with one of the files ?

If so, probably a bug (and not a memory issue).

Repeat 2 with the file with the error...

(13 Jul '11, 13:02) Bill Meier ♦♦

In any case is it possible to attach the file to a bug report at bugs.wireshark.org ?

(If necessary the file can be marked private so that only the Wireshark core developers can access the attachment).

The idea is to get as small a file as possible which causes the error.

PS: It appears that there's no need to run in XP compatibility mode

(13 Jul '11, 13:05) Bill Meier ♦♦

Are you doing this split in a command prompt, I tried that and it gives the imfamous this not a supported command.

(14 Jul '11, 05:41) GregForster

I sent the file in to bugs.wireshark.org. I hope someone can help me with this. Thank you.

(14 Jul '11, 05:50) GregForster

To answer the question about how many frames there are well, it is showing 437738 frames.

(14 Jul '11, 09:59) GregForster
showing 5 of 8 show 3 more comments

One Answer:

1

Thanks for filing a bug at bugs.wireshark.org https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6120

There is, indeed, a Wireshark bug; I've isolated a single frame from the capture which causes a crash when
Telephony ! RTP ! Stream Analysis is invoked on the frame.

answered 14 Jul '11, 10:35

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

Thanks for letting me know of the bug, but now is this going to be fixed? I am having this issue with all captures and I deal only in rtp analysis.

(14 Jul '11, 10:46) GregForster

I'm dancing as fast as I can... :)

(IOW: I'm working on it).

The problem appears to be related to the fact that the captured RTP frames are truncated (i.e., the capture is configured to save only the initial part of each frame: 96 bytes in this case).

A possible workaround: Configure the capture to save the complete frames.

(14 Jul '11, 11:01) Bill Meier ♦♦

same crash problem for me when i try for use time of the day in player window. I am using Windows 7 ultimate 32 bit and wireshark v 1.8.0

(29 Jun '12, 09:26) Mamun