This is our old Q&A Site. Please post any new questions and answers at

I updated from Wireshark 2.0.5 x64 to Wireshark 2.2.0 x64 on both my production machines (Windows 8.1 x64 and Windows Server 2012 R2 x64), and on both machines Wireshark now hits a Microsoft C++ Runtime exception in libwireshark!dissect-ndr-nt-NTTIME+0x975e when opening any saved LAN trace I have, using any method. (Pick from MRU list on Wireshark main display, double-click saved LAN trace file out of Windows Explorer, open saved LAN trace attachment directly from email, etc.) Opening Wireshark 2.2.0 without asking to open a LAN trace works fine.

I backed off to the Wireshark 2.0.6 x64 release on both machines and everything runs fine with this previous release. Have crash dumps and can file a bug, but just wanted to make sure its not something already known or worked around regarding the updated Microsoft runtime dependency, since I'm not seeing widespread reports from Wireshark 2.2.0 users.

asked 21 Sep '16, 07:34

AlanA's gravatar image

accept rate: 50%

What do you mean by LAN trace? A Wireshark capture from your LAN, or a capture generated by another tool?

(21 Sep '16, 08:33) grahamb ♦

Another engineer at my company entered this as Bug 12962, and it has been resolved in 2.2.1.

permanent link

answered 06 Oct '16, 15:40

AlanA's gravatar image

accept rate: 50%

Downloading the PDB symbols from allowed me to identify that the crash is in the NCP protocol dissector, and indeed all the LAN traces I have been opening would have involved the NCP protocol. (Crash is actually at libwireshark!ncp2222-compile-dfilters+0x8e.) Will consult with the NCP dissector author and file as bug as needed.

permanent link

answered 21 Sep '16, 09:36

AlanA's gravatar image

accept rate: 50%

If you do not need to dissect the NCP packets in particular (i.e. if they are not your focus but they just happen to be present in your traces), you may disable NCP through Analysis -> Enabled Protocols after starting Wireshark without opening any trace. The "enabled protocols" settings survive Wireshark closure and re-opening, so once done, you can open your traces safely.

(21 Sep '16, 11:59) sindy

If you haven't yet filed the bug, please attach a sample capture that causes the crash to the bug when you file it, if possible.

If you have filed the bug, and there isn't a sample capture that causes the crash attached to the bug, please attach one, if possible.

(21 Sep '16, 17:54) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 21 Sep '16, 07:34

question was seen: 1,488 times

last updated: 06 Oct '16, 15:40

p​o​w​e​r​e​d by O​S​Q​A