Wireshark-users: Re: [Wireshark-users] running multiple instances

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 10 Nov 2009 10:19:35 -0800

On Nov 10, 2009, at 9:33 AM, Nicole Powell wrote:

Could it also relate to cap vs. pcap file? I tried 145KB .cap file and it ran fine but a 130KB .pcap file stalls tshark as well.

What is a ".cap file"? There are at least two Windows packets I know of (Windows Sniffer and Microsoft Network Monitor) that use ".cap" as a suffix, and their file formats are different. Furthermore, there are probably at least some libpcap-format files that have ".cap" as the suffix.

In any case, the chances that it's an issue with the file format are extremely slim; it's probably a problem with the packets in the file.

Also, "stalls" and "gives an application error and shuts down" are different problems.

In addition, these commands are done using Python and that's when the errors occurs. If I perform the commands from the command prompt, it runs fine.

(Perform them from the command prompt with the same file?)

If you run them from Python, the Python interpreter and at least one instance of TShark are running at the same time. If you ran Python from the command line, the command-line shell, the Python interpreter, and at least one instance of TShark are running at the same time.

If you run them from the command line, the command-line shell and at least one instance of TShark are running at the same time, but you're not running Python. Perhaps the Python interpreter is taking enough memory that you run out of swap/paging space, and thus cause attempts by TShark to allocate memory to fail?

(This assumes the application error is a failure to allocate memory.)