Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 4829] New: wireshark/tshark 64 bit stop after several pack

Date: Wed, 2 Jun 2010 12:51:25 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4829

           Summary: wireshark/tshark 64 bit stop after several packets
                    (1.3.5/1.2.6) both on build
           Product: Wireshark
           Version: 1.3.x (Experimental)
          Platform: x86-64
        OS/Version: Mac OS X 10.6
            Status: NEW
          Severity: Major
          Priority: Low
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: mk@xxxxxxx


Build Information:
./wireshark -v
wireshark 1.3.5

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.18.8, (64-bit) with GLib 2.22.5, with libpcap 1.0.0, with
libz 1.2.5, without POSIX capabilities, without libpcre, without SMI, without
c-ares, without ADNS, without Lua, without Python, without GnuTLS, without
Gcrypt, with MIT Kerberos, without GeoIP, without PortAudio, without AirPcap,
with new_packet_list.

Running on Darwin 10.3.0 (MacOS 10.6.3), with libpcap version 1.0.0, with libz
1.2.5.

Built using gcc 4.2.1 (Apple Inc. build 5659).

--
when starting either tshark or wireshark, after several packets (when tshark
catches up to dumpcap) the trace stops.

dumpcap still works and does not stop, if run independantly.

We narrowed it down as best we could to when the read has no data to read, and
then the select reports a read is available, the actual read on the pipe in
capture_sync.c returns an eof.  causing tshark (and we assume wireshark) to
assume the pipe is closed, and no more data is available for capture.

If you debug, or generate more data then tshark can empty the buffer, the
problem does not occur until tshark catchs up.

This did not occur with the site provided pacage (i386) but the default
macports build is a x86_64.
The package was built using a simple macports : port build wireshark-devel

note: port build wireshark (version 1.2.6) has the same problem) 

This is a fairly new mac mini, so other then macports actions to upgade the
packages, we have not customized the system.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.