Wireshark · Ethereal-users: Re: [Ethereal-users] ethereal locks up when I stop a capture

Ethereal-users: Re: [Ethereal-users] ethereal locks up when I stop a capture

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Tue, 17 Apr 2001 11:17:52 -0700 (PDT)

> Yesterday I retrieved sources for Ethereal (0.8.17) and libpcap (0.6.2)
> which I compiled and installed on a RedHat 6.2 system (PII-300 384MB
> ram). In two tests yesterday afternoon just prior to leaving work,
> ethereal froze when I clicked stop on one of the two tests. Not having
> more time to put in yesterday, I nevertheless left it running all night
> last night because we've been having unusual traffic overnight on one of
> our networks. This morning I came in, clicked stop, and ethereal froze.
> 
> Is there anything known that will cause this?

Receiving a packet containing an IP address that Ethereal would try to
translate to a host name, if one of the DNS servers required for that
operation is down would cause that.

When you click "Stop" on a non-"Update list of packets in real time"
capture, Ethereal reads the capture file in, and dissects the packets in
the capture, which, as indicated, may include translating IP addresses
to host names.  If a DNS server involved in that process is down,
Ethereal could block for a significant amount of time waiting for that
lookup to finish.

> Is there anything I can do to preserve the data captured last night or
> is it already toast?

Well, eventually the DNS lookup will time out - and Ethereal will
remember that the lookup in question failed, and won't try to look up
that particular IP address again.  It may have timeouts on subsequent
lookups, though, and stall again.

Eventually, however, it'll finish reading the capture.

Another possibility is that there's a bug in a dissector that causes it
to loop infinitely; in that case, obviously, Ethereal won't finish.

> I had set ethereal up to log the capture to a file in my home directory
> but the name I gave does not exist there. Might there be a temp file
> somewhere I could salvage?

Not if you put the name of that file in the "File:" box in the "Capture
Preferences" dialog - it wouldn't have written the capture to a
temporary file, it would've written it to that file, and, if that file
isn't there, either somebody removed it or, by some means unknown to us,
it never even started the capture...

...or you didn't put the name in there that you thought you did, or you
put in a relative pathname and Ethereal wasn't running, at the time it
started the capture, in the directory you thought it was.

Follow-Ups:
- Re: [Ethereal-users] ethereal locks up when I stop a capture
  - From: Mike Rambo

References:
- [Ethereal-users] ethereal locks up when I stop a capture
  - From: Mike Rambo

Prev by Date: [Ethereal-users] ethereal locks up when I stop a capture
Next by Date: RE: [Ethereal-users] ethereal 0.8.17
Previous by thread: [Ethereal-users] ethereal locks up when I stop a capture
Next by thread: Re: [Ethereal-users] ethereal locks up when I stop a capture
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$