Ask Your Question

Can't install Wireshark 2.4.3

asked 2018-01-16 14:57:32 +0000

updated 2018-01-16 15:50:04 +0000

Jaap gravatar image

I have been trying to install Wireshark 2.4.3 on Windows Server 2008 for several days with no success. Every time I start the install, I immediately receive the following message: Wireshark or one of its associated programs is running. Please close it first.

There are no other Wireshark programs installed. I have tried several solutions.

  1. Verified there were no processes or services related to Wireshark, Tshark or WinPcap. Dumpcap, or USBPcapCMD.exe
  2. Searched the entire hard drive and registry for any instances of
  3. Rebooted server
  4. Verified that there is no NPF (Network Packet Filter) 'device' in device manager under hidden devices.
  5. searched hard drive and registry for "Packet.dll"

What is the solution to install Wireshark under these conditions?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-01-16 15:33:22 +0000

grahamb gravatar image

updated 2018-01-24 16:11:31 +0000

The message is generated by the Wireshark installer and is nothing to do with WinPcap or USBPcap.

The program named in the message is the one causing the issue. The installer attempts to open a mutex that is hard-coded into the Wireshark executable, and if it can, that indicates a copy of Wireshark is running somewhere, or at least a process has created the "Wireshark" mutex.

To find the errant process, you need to install a tool that can search for mutexes. I use Process Explorer, run it as Administrator, from the menu choose "Find", then "Find Handle or DLL..." and in the substring field enter Wireshark-is-running-{9CA78EEA-EA4D-4490-9240-FC01FCEF464B} and click "Search".

Hopefully the display will eventually update to show you the process with the mutex. Each Wireshark process creates 2 copies of the process, one for the user session and one global for the whole machine. You can double click on the process to make the main display highlight the process which you can then terminate by hitting Delete or right-clicking the process and choosing "Kill" from the menu.

Please report back if you find anything running, especially if it's a process named other than Wireshark.

edit flag offensive delete link more


I am not allowed to use Process Explorer on our network. We are able to use Process Monitor. I don't know if that will allow me to do the same as Process Explorer, but that is my next step.

MrScott1968 gravatar imageMrScott1968 ( 2018-01-17 21:30:48 +0000 )edit

Odd that you can use ProcMon from SysInternals (MS), but not ProcExp from SysInternals (MS).

Nope, ProcMon won't help. I'm not aware of any other tools that can list the mutexes along with the associated process.

grahamb gravatar imagegrahamb ( 2018-01-18 11:17:38 +0000 )edit

I finally installed Process Explorer. There is no {Wireshark-is-running-{9CA78EEA-EA4D-4490-9240-FC01FCEF464B} found when I do a search. I also searched for Wireshark alone and looked through the entire list of processes and there is nothing there.

MrScott1968 gravatar imageMrScott1968 ( 2018-01-24 16:01:01 +0000 )edit

Were you running Process Explorer as an Administrator, if not try that (if possible)?

If you are, I'm not sure what's happening then.

The only thing I can think of is to try to ensure the installer is run with elevated privileges. Can you try to right-click the installer and choose "Run as Administrator"?

grahamb gravatar imagegrahamb ( 2018-01-24 16:15:12 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2018-01-16 14:57:32 +0000

Seen: 114 times

Last updated: Jan 24