Hi, I just installed WireShark today and the installer popped an error on uninstalling the older version of WinPCap. The installer continued anyway and said it completed. When I start it now I get a few little popups that show WireShark trying to load but the GUI never comes up. I can see the wireshark process in ProcessExplorer but nothing else happens. I uninstalled wireshark, rebooted and uninstalled WinPCap, rebooted and reinstalled the package but I get the same results; popups go by, process starts, no GUI. Any thoughts or suggestions? This question is marked "community wiki". asked 12 Aug '13, 20:20  charlieagiii |
3 Answers:
Well, this is embarrassing. It turns out that I use a utility called MultiMon Taskbar to allow me to "throw" Windows Media Player onto my TV with a keyboard shortcut. The TV is treated like a second monitor. I had the TV's input set to TV instead of PC so I was not seeing that Wireshark had decided to open in the second monitor which has it's own independent taskbar where the Wireshark program was showing up instead of it showing up on the taskbar of the primary monitor. It would appear that it was there the whole time but I was unable to see it until I change the TV's input to PC. Thanks to everyone who participated in helping me troubleshoot this one. Sorry for the inconvenience, Charlieagiii answered 14 Aug '13, 14:05 charlieagiii |
If you can produce a memory dump as shown here and post it somewhere, I can have a look at it in the debugger and try to see what the Wireshark process is up to. Please zip up the dump before processing it. Warning! The memory dump may contain information about your system that could be considered sensitive. It will contain the full process memory image and will expose things such as the machine name, any domain it belongs to, the account the process is running under and possibly other things. There shouldn't be any passwords, but if you've added SSL private keys to Wireshark then they may be in the image. answered 13 Aug '13, 00:46  grahamb ♦ I followed your link for the dump and see that it applies to Vista and Win 7. Is the process the same for XP SP3, I don't have the PC involved booted right now to test it. (13 Aug '13, 01:59) charlieagiii For XP SP3 you'll need a different method. procdump has worked for me, ensure you only have a single running wireshark process that's in the broken state and run procdump as (13 Aug '13, 02:05) grahamb ♦ Will try and run procdump this evening. New info: When the Wireshark process starts ProcessExplorer also shows dumpcap.exe starting, running for about a second and shutting down. Also, I'm not finding a process for WinPCap. Can you tell me the name of the process and or service for WinPCap? (13 Aug '13, 23:26) charlieagiii Interesting, I don't see that but I do have a fast machine so maybe miss it :-) How are you starting Wireshark? Does tshark run OK for you? What about dumpcap? Use WinPCap is essentially a few userspace DLL's that are linked to the user application (dumpcap) and a kernel driver (npf.sys). See the WinPCap docs for more info. (14 Aug '13, 02:10) grahamb ♦ |
I still think that it may be related to UAC. Can you please run Wireshark as Administrator (NOT recommended for dayily operation) and/or try to disable UAC. If the GUI is still not showing up, please check any interfering security software on your system (Firewall, AV, IDS, Endpoint Security, etc.). Please disable those tools (for a test) and restart Wireshark (after you have killed the hanging process). Does it work then? Regards answered 14 Aug '13, 04:38  Kurt Knochner ♦ Hi Kurt, I found the answer (please see below?) but thought I should mention that as far as I know there is no UAC in Win XP SP 3. (14 Aug '13, 14:02) charlieagiii |
Independent from wireshark - if someone knows this problem I'd be very interested in that too because aside from wireshark I've had this issue with a few other applications
me too. And I have a strong feeling that it is related to UAC.
Or possibly DEP-related? As a test, you could try adding a DEP exception.
I think a DEP related issue would just cause an exception with the resultant error dialog, rather than allowing the process to continue to run silently.