wireshark gui freezes upon loading logfile

0

I am having difficulty opening a series of files created by tshark.exe. It is rather large, but I have opened large files before without a problem. The loading is even done in a separate thread so I can see the progress of it in the GUI.

This is the info from capsinfos.exe about the file in question: 

File type:           Wireshark - pcapng
File encapsulation:  Ethernet
Packet size limit:   file hdr: (not set)
Number of packets:   907544
File size:           146040212 bytes
Data size:           115427911 bytes
Capture duration:    86397 seconds
Start time:          Sat Aug 04 22:07:38 2012
End time:            Sun Aug 05 22:07:35 2012
Data byte rate:      1336.02 bytes/sec
Data bit rate:       10688.14 bits/sec
Average packet size: 127.19 bytes
Average packet rate: 10.50 packets/sec
SHA1:                074c2dbbfa65835f8cb6deb595ee6face9159ed9
RIPEMD160:           d7f963a411ae8d37c83b07fe660a11163a11bc57
MD5:                 612aac26fa3c140bd182ad44ae8836bd
Strict time order:   False
This is one example in a series of files I am generating on a 24 hour rotation. Any suggestions how I might get these files opened?

asked 06 Aug '12, 23:33

namreeb's gravatar image

namreeb
1111
accept rate: 0%

edited 07 Aug '12, 02:26

Jaap's gravatar image

Jaap ♦
6.0k568
2 Answers:
oldestnewestmost voted
0

Wireshark collects (possibly an awful) lot of state while loading a capture. It's impossible to tell how much beforehand. That could lead to problems. Another option is that you've hit upon a dissection bug.

Anyway, to work around these use editcap to slice your capture in two and try to load each separately. This may show which part contains the cause. Maybe repeat the slicing even further. You can also load a file set if you need packets from multiple slices. Experiment a bit and see what it tells you.

link

answered 07 Aug '12, 02:31

Jaap's gravatar image

Jaap ♦
6.0k568
accept rate: 11%

0

File size: 146040212 bytes

146 MByte is not really a large capture file for a "decent" system. If your system has >= 2 GByte RAM, you "should" be able to open that file, expect you are running into a bug.

Somme suggestions:

  1. Please try to open the file with different versions of Wireshark (1.6, 1.8).
  2. Please check if there are some time consuming options enabled (like "Name Resoultion"). Edit -> Preferences -> Name Resolution. Disable all "name resolution" options, then try again to open the file.
  3. Try to open the file with tshark. Does it freeze?

Regards Kurt

link

answered 07 Aug '12, 04:20

Kurt%20Knochner's gravatar image

Kurt Knochner
8.3k51875
accept rate: 15%

edited 07 Aug '12, 05:14

I have 16Gb of RAM on both systems that I used to try opening the file. I have opened other, larger files without any problems. I did use editcap.exe to split the file into 100,000 packet files which makes them 13-15Mb and had the exact same problem. If I try and open a log file from a previous week, which was generated on the same system with (I think) the exact same tshark.exe syntax, it works fine!

(07 Aug '12, 05:52) namreeb

Some more questions:

  1. did you check the "Name Resolution" options?
  2. does Wireshark freeze "instantly" at a certain point (e.g. after loading 10% of the file), or will it gradually slow down during the load process until it freezes?
  3. did you install anything on your system lately (please double check!)
  4. what is your wireshark version (wireshark -v)?
  5. what is your OS (and version) of the system running Wireshark?
(07 Aug '12, 06:21) Kurt Knochner
  1. Yes, I tried the Name Resolution suggestion with no effect.
  2. Yes, Wireshark freezes instantly. The "Open File" dialog does not even go away.
  3. Well again this is happening on both systems I tried it on, so I don't think it is an issue with my system, but on one of them I did recently install .NET Reflector.
  4. My Wireshark version is 1.8.1 rev 43946. My local computer here which is not the system these logs were recorded on, but is the one I have been spending the most time to try and open them, is Windows 7 Ultimate x64 with all Windows Updates installed.
(07 Aug '12, 12:52) namreeb

2.Yes, Wireshark freezes instantly. The "Open File" dialog does not even go away.

sounds like a bug. By any chance: Is there HSRP traffic in the capture file (Bug 7581)?

Some more questions:

  • Did you try other Wireshark versions (1.6.9)?
  • Do you load the files from a share? If so, please try from a local path.
(07 Aug '12, 17:18) Kurt Knochner

No, it should be strictly MySQL traffic in the capture. But it is on port 3307 rather than 3306 and at the time of loading I have not yet told it to analyze the traffic as MySQL.

No, the files are not being loaded from a share.

I downloaded Wireshark 1.6.9 and was unable to load it due to a missing "libxml2-2.dll". I downloaded 1.4.14 (rev 43964) and it loads! Should I report this on the bug tracker? I can provide my traffic dump if it will be limited to the developer(s).

(07 Aug '12, 19:40) namreeb

O.K. this sounds like a bug.

Should I report this on the bug tracker?

yes please.

I can provide my traffic dump if it will be limited to the developer(s).

You can mark the file as private during upload.

But it is on port 3307 rather than 3306

Does it fail to load any (mysql) capture file, or just your mysqsl traffic on port 3307?

Can you please try this short mysql sample?

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=mysql_complete.pcap

(08 Aug '12, 01:28) Kurt Knochner
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×18
×2
×2

Asked: 06 Aug '12, 23:33

Seen: 613 times

Last updated: 08 Aug '12, 01:29

Related questions

Usefull Color Rules?

will wireshark move to native mac windowing instead of X11?

Packet in Binary file but not showing in wireshark gui

Wireshark 1.8.0 causes screen freeze on Win7 64

How should I develop this tool?

No new log file is created after restart PC

windows 7 corrupt gui?

Wireshark looks inactive but isn't...

Screen "freezing" on Mac os x 10.7.1

Truncated URI in the Wireshark UI

about | faq | privacy | support | contact

powered by OSQA