Ask Your Question
0

Wireshark UI hangs during capture (data still being captured)

asked 2022-08-12 13:00:16 +0000

martinu gravatar image

I have a Windows 7 Home Premium PC, connected by Ethernet to my LAN. It used to run Wireshark perfectly (as for a Win 10 PC, and for various Linux computers) but an upgrade a few months ago seems to have permanently stopped it capturing. No packets are displayed during capturing, and if I press the square STOP button, the app goes "Not responding". It is still possible to find the temporary .pcapng file, save it and then load it into Wireshark (after killing off the "not responding" process in Task Manager), so the actual capturing is OK: it's the live display that seems to be killing the UI process.

I've tried uninstalling Wireshark and NPCap packages and then reinstalling (eg using the latest V3.6.7 x64 package), but this does not resolve the problem.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-08-12 14:13:17 +0000

martinu gravatar image

updated 2022-08-12 15:40:01 +0000

grahamb gravatar image

Looking at my Wireshark profile, it seems that I asked about this last year, and there were some suggestions that I never followed up.

The PC has Avast Free Antivirus (22.6.6022 (build 22.6.7355.740) with virus definitions 220812-2) - so it's up-to-date.

I tried deleting the contents of the C:\Users\Martin\AppData\Roaming\Wireshark folder (with Wireshark and Dumpcap not running). Doing this made no difference to the hanging of Wireshark when a capture was started.

I tried manually starting dumpcap (from non-run-as-administrator CMD, cd "\program files\wireshark"):

dumpcap -v

Dumpcap (Wireshark) 3.6.7 (v3.6.7-0-g4a304d7ec222)

and

dumpcap -D

1. \Device\NPF_{DF4A9D2C-8742-4EB1-8703-D395C4183F33} (Local Area Connection* 4)
2. \Device\NPF_{E43D242B-9EAB-4626-A952-46649FBB939A} (Local Area Connection* 3)
3. \Device\NPF_{71F897D7-EB7C-4D8D-89DB-AC80D9DD2270} (Local Area Connection*)
4. \Device\NPF_{78032B7E-4968-42D3-9F37-287EA86C0AAA} (Local Area Connection* 10)
5. \Device\NPF_{8E301A52-AFFA-4F49-B9CA-C79096A1A056} (Local Area Connection* 5)
6. \Device\NPF_{8011C418-7680-4E0D-8DBE-6BBDB69009A0} (Local Area Connection)
7. \Device\NPF_{3F48FD02-D951-4DD8-BD3F-1F3457AA0890} (Local Area Connection 2)
8. \Device\NPF_Loopback (Adapter for loopback traffic capture)
9. \Device\NPF_{DCCFA951-E2BD-46E7-858D-FB42390694AE} (Local Area Connection* 2)

Option 6 "Local Area Connection" is the one that has an IP address bound to it and displays a graph next to it in the opening screen of Wireshark

dumpcap -i 6 -w - | wireshark -k -i -

Seems to work OK - I get a live capture and display of packets which I can stop and Wireshark remains responsive. OK, the dumpcap process carries on running and needs to be killed. but that's no hardship...

The output of the command (in the CMD window) is

(wireshark:14640) 14:44:24.240736 [GUI WARNING] -- Unable to open default EU
DC font: "C:\\Windows\\FONTS\\EUDC.TTE"
Capturing on 'Local Area Connection'
File: -
Packets: 24  (wireshark:14640) 14:44:26.926890 [Capture MESSAGE] -- Capture Start ...
Packets: 30  (wireshark:14640) 14:44:27.204906 [Capture MESSAGE] -- Capture started
(wireshark:14640) 14:44:27.204906 [Capture MESSAGE] -- File: "C:\Users\Martin\AppData\Local\Temp\wireshark_-88RSQ1.pcapng"
Packets: 368  (wireshark:14640) 14:44:45.484952 [Capture MESSAGE] -- Capture
Stop ...
(wireshark:14640) 14:44:45.655961 [Capture MESSAGE] -- Capture stopped.
Packets: 373

So dumpcap is running OK and is communicating with the wireshark UI process OK if it is started explicitly, but not if it is started automatically by Wireshark.

Is that warning about the missing C:\Windows\FONTS\EUDC.TTE file something to worry about? The file doesn't exist either on a Windows 10 PC which runs Wireshark fine, though the error message isn't displayed from the dumpcap -i 6 -w - | wireshark -k -i - command.

One difference between the Win7 and Win 10 PCs is that the Win10 doesn't have device "Local Area Connection" (without a number suffix) and has a device "Ethernet" instead which is the one which has the IP address bound to it and which I use for capturing (either from Wireshark normally, or from command line in this diagnostic test).

Is this a Win7/Win10 funny, or is the absence of "Ethernet" on ... (more)

edit flag offensive delete link more

Comments

The "friendly name" of the interface can be set by the user, open the "Network Connections" dialog and rename adaptors as required by right-clicking and choosing "Rename". "Ethernet" (with a numeric suffix if you have more than 1 NIC) is the default Windows (10+ ??) way of naming NICs.

I would assume the font warning is because somewhere in your Wireshark profile you have a reference to that font.

What is the full output from dumpcap -v?

grahamb gravatar imagegrahamb ( 2022-08-12 15:48:27 +0000 )edit

The full response is

Dumpcap (Wireshark) 3.6.7 (v3.6.7-0-g4a304d7ec222)

Copyright 1998-2022 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https: www.gnu.org="" licenses="" gpl-2.0="" .html="">
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using Microsoft Visual Studio 2019 (VC++ 14.31, build 31107),
with GLib 2.66.4, with zlib 1.2.11, with libpcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with AMD Athlon(tm) II
X4 630 Processor, with 8190 MB of physical memory, with GLib 2.66.4, with Npcap
version 1.60, based on libpcap version 1.10.2-PRE-GIT, with LC_TYPE=C, binary
plugins supported (0 loaded).

Good to know that the difference in friendly name isn't significant.

martinu gravatar imagemartinu ( 2022-08-12 16:02:42 +0000 )edit

You might want to try uninstalling npcap 1.60, rebooting and then installing the latest (1.70). however as you're using an obsolete and unsupported OS there are no guarantees.

grahamb gravatar imagegrahamb ( 2022-08-12 16:08:50 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-08-12 13:00:16 +0000

Seen: 1,813 times

Last updated: Aug 12 '22