# How to debug Wireshark crash

Hello all,

How can I debug Wireshark (version 3.2.5) crash in WIndows 10?

1. Would it generate a crash report if it is build with RelWithDebugInfo ?
2. Where can I locate the crash report on Windows system? I mean does it get printed in EventViewer or some other place?
3. Would it report the stack backtrace as a result of crash when build with RelWithDebugInfo ?

I know I have a option to submit a bug report, but I want to try it myself first.

Amit

edit retag close merge delete

Sort by » oldest newest most voted

Unless you have modified the defaults, the crash dump will be in %LOCALAPPDATA%\CrashDumps

You can load the dump file in Visual Studio, or WinDbg. WinDbg has the !analyze command to triage the crash.

To make much sense of the crash you will need the debug symbols, these can be obtained from the download server, look for wireshark-pdb-winxx-3.2.5.zip where winxx is win32 or win64 for the bitness of Wireshark you have installed. Note that due to "issues", some pdb files were not uploaded by the build process so aren't available. Unfortunately 3.2.5 was one of the affected versions. You'll need to tell the debugger where to find the symbols once you extract them from the zip.

To look any further into the crash you will also need the sources, a tarball or git checkout of the tag will be sufficient.

Finally, 3.2.x is close to end of life. If you can create the crash with the current stable version, please submit that first and it will be backported as appropriate.

more

Thanks for the response.

Is build with RelWithDebugInfo sufficient to get the crash dump? I don't even have the CrashDumps folder in the said location (C:\Users\<username>\AppData\Local\CrashDumps).

( 2021-03-18 16:36:33 +0000 )edit

Any build can produce a crash dump. What the build affects is the level of optimisation in the process that may make debugging more difficult, i.e. local vars are often not available.

Check the registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps to see if a non-default DumpFolder has been set. Some types of crash, e.g. a stack overflow break things so badly that no crash dump is made. You can try running the executable under a debugger to try to catch that.

( 2021-03-18 17:16:54 +0000 )edit