This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Runtime error with Wireshark 2.2.0 x64 opening any saved LAN trace.

0

I updated from Wireshark 2.0.5 x64 to Wireshark 2.2.0 x64 on both my production machines (Windows 8.1 x64 and Windows Server 2012 R2 x64), and on both machines Wireshark now hits a Microsoft C++ Runtime exception in libwireshark!dissect-ndr-nt-NTTIME+0x975e when opening any saved LAN trace I have, using any method. (Pick from MRU list on Wireshark main display, double-click saved LAN trace file out of Windows Explorer, open saved LAN trace attachment directly from email, etc.) Opening Wireshark 2.2.0 without asking to open a LAN trace works fine.

I backed off to the Wireshark 2.0.6 x64 release on both machines and everything runs fine with this previous release. Have crash dumps and can file a bug, but just wanted to make sure its not something already known or worked around regarding the updated Microsoft runtime dependency, since I'm not seeing widespread reports from Wireshark 2.2.0 users.

asked 21 Sep '16, 07:34

AlanA's gravatar image

AlanA
6113
accept rate: 50%

What do you mean by LAN trace? A Wireshark capture from your LAN, or a capture generated by another tool?

(21 Sep '16, 08:33) grahamb ♦

2 Answers:

0

Another engineer at my company entered this as Bug 12962, and it has been resolved in 2.2.1.

answered 06 Oct '16, 15:40

AlanA's gravatar image

AlanA
6113
accept rate: 50%

0

Downloading the PDB symbols from https://www.wireshark.org/download/win64/all-versions/ allowed me to identify that the crash is in the NCP protocol dissector, and indeed all the LAN traces I have been opening would have involved the NCP protocol. (Crash is actually at libwireshark!ncp2222-compile-dfilters+0x8e.) Will consult with the NCP dissector author and file as bug as needed.

answered 21 Sep '16, 09:36

AlanA's gravatar image

AlanA
6113
accept rate: 50%

If you do not need to dissect the NCP packets in particular (i.e. if they are not your focus but they just happen to be present in your traces), you may disable NCP through Analysis -> Enabled Protocols after starting Wireshark without opening any trace. The "enabled protocols" settings survive Wireshark closure and re-opening, so once done, you can open your traces safely.

(21 Sep '16, 11:59) sindy

If you haven't yet filed the bug, please attach a sample capture that causes the crash to the bug when you file it, if possible.

If you have filed the bug, and there isn't a sample capture that causes the crash attached to the bug, please attach one, if possible.

(21 Sep '16, 17:54) Guy Harris ♦♦