Hello, I am currently using the following Tshark command to capture packets between a couple servers for an hour.
The problem I am having is wireshark just stops capturing packets after a couple of minutes. I know the tshark trace runs for an hour because in the batch file I have to pop up a message box after it is complete so it will write to windows event viewer. Now if I decide just to open wireshark and start a capture, it might go for 5 minutes and just stop. At first I thought there just wasn't anything coming to/from the server so I pinged another server and I didn't see the pings in the wireshark trace. Wireshark doesn't lock up or go (not responding) it just stops. The application is still fully functional and responsive the trace just stops. It is on server 2008 R2 and my laptop is Windows 10 with wireshark Version 2.2.0 (v2.2.0-0-g5368c50 from master-2.2) Any Ideas? Oh and if I run wireshark on my laptop I can have it run for an hour with no issues of it capturing packets. Thank you, Keyboard asked 03 Oct '16, 06:13 keyboard edited 03 Oct '16, 07:05 grahamb ♦ showing 5 of 16 show 11 more comments |
Is there a lot of traffic on the server? If so you might be running into the Out Of Memory issue.
No there is not a lot of traffic and the server has 64gb of ram. I am using a capture filter to look between 3 servers.
There should still be a capture file produced, can you load it at all?
Yes I can load the capture file just fine its is during the capture process that wireshark just stops capturing any data at all.
Sounds like the issue is with dumpcap.exe, the process that actually does the capturing for Wireshark and tshark.
Are there any "Application Error" events in the Windows Application event log for dumpcap.exe?
I looked for errors in event viewer and there are none.
OK, in such case, can you try to run dumpcap directly instead of invoking it via tshark? Hypothetically, I could imagine some dissector to eat RAM quicker than others so even a few packets of the "right" protocol could be enough to clog the RAM. Running dumpcap alone, with the same command line parameters you normally give to tshark, should make it clear whether the issue is in dumpcap or in the dissectors.
ok I have never ran just dumpcap directly would it look like this?
dumpcap -i 1 -a duration:3600 -w C:\WiresharkCapture\Trace.pcap -f "(host XXX.XXX.XXX.XXX or XXX.XXX.XXX.XXX) or (host XXX.XXX.XXX.XXX or XXX.XXX.XXX.XXX)"
Thank you for your assistance
Yes.
Off topic,
(host x or y) or (host z or t)
is equivalent to justhost x or y or z or t
.I have change my batch file to run dumpcap directly and I have captured 663 packets and then it just stops. It has been setting there for about 20 minute now and I know there is data going back and forth between the servers.
And is the dumpcap.exe process still running?
yes it is still running. task manager showing 0 CPU and 2,268k Memory (private working set).
I wonder if it's some issue with being run from your batch file? Can you try running dumpcap directly from the command line?
so I just ran the following command directly in a cmd window as admin.
dumpcap -i 1 -a duration:3600 -w C:\WiresharkCapture\WiresharkDumpcapTest.pcap -f "(host XXX.XXX.XXX.XXX or XXX.XXX.XXX.XXX) or (host XXX.XXX.XXX.XXX or XXX.XXX.XXX.XXX)"
It captured 21354 packets in about 5 minutes and is now just setting there not capturing anything.
Thank you grahamb for your help!
A last attempt to clutch at a straw here, do you have any third-party security (e.g. end-point protection) or VPN software installed on the server? If so, please remove (not just disable) and try again.
If not, this would appear to be some sort of bug in dumpcap and as such is now off-topic for this site.
You now need to take this to the Wireshark Bugzilla and raise a defect issue there. Ideally attach the capture you have so far and a memory dump of the dumpcap process to the issue so that hopefully someone can look at it.
To create a process dump, locate the process in Task Manager on the process tab, right click the process and select "Create Dump File". The resulting dialog gives you the location of the dump file which you should zip up first and then attach to the issue.
Thank you for your help grahamb!