Wireshark-bugs: [Wireshark-bugs] [Bug 8281] New: Wireshark out-of-memory crash on Windows Server

Date: Thu, 31 Jan 2013 20:38:13 +0000
Bug ID 8281
Summary Wireshark out-of-memory crash on Windows Server when logged in via Remote Desktop
Classification Unclassified
Product Wireshark
Version 1.8.5
Hardware x86-64
OS Windows Server 2008 R2
Status UNCONFIRMED
Severity Major
Priority Low
Component Wireshark
Assignee [email protected]
Reporter [email protected]

Created attachment 9912 [details]
Wireshark capture using "Use multiple files" option and "Ring buffer with" 2.

Build Information:
Version 1.8.5 (SVN Rev 47350 from /trunk-1.8)

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.14, with Cairo 1.10.2, with Pango 1.30.1, with
GLib 2.34.1, with WinPcap (4_1_2), with libz 1.2.5, without POSIX capabilities,
with SMI 0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS
2.12.18, with Gcrypt 1.4.6, without Kerberos, with GeoIP, with PortAudio
V19-devel (built Jan 29 2013), with AirPcap.

Running on 64-bit Windows Server 2008 R2 Service Pack 1, build 7601, with
WinPcap version 4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version
1.0 branch 1_0_rel0b (20091008), GnuTLS 2.12.18, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 10.0 build 40219
--
Wireshark v1.8.5, 64-bit version on Windows Server 2008 R2 with 2gig memory,
running as a VM under RHEL with xen runs out of memory after a very short time.
 Measurements of memory usage are from Windows Task Manager, "Processes" tab.

When monitoring live or when viewing a captured file (see attached), Wireshark
uses a lot more memory when logged into Windows using Remote Desktop, than when
logged in directly on the local console.  

When logged in via Remote Desktop, after loading the captured file, if I move
down through the frames one at a time, by the time I get to frame 1600,
Wireshark is using 1.5 Gig of memory Windows Server 2003, Windows Server 2008
(32-bit) and Windows Server 2008 R2 (64-bit).

On Windows 7 (64-bit version) via Remote Desktop and on XP (32-bit), when I do
the same thing, the memory usage fluctuates up and down within a 3 meg range.
The capture file is only 973K bytes long and has 2953 frames. Viewing all 2953
frame this way, Wireshark 32-bit versions only is using 86Meg of memory on
Windows XP. 

Wireshark memory problem occurs on Windows Servers, when logged in via MS
Remote Desktop. Both Wireshark 32-bit and 64-bit have the problem.

Wireshark memory problem does NOT occur when logged in to the xen console to
Windows Servers. (Tested both Wireshark 32-bit and 64-bit)

The common theme of when the problem occurs is Windows Server 2003, 2008
32-bit, or 2008 64-bit when logged in via MS Remote Desktop.

Wireshark v1.8.4 and Wireshark-win32-1.9.0-SVN-47367.exe (32-bit version) has
same problems on Windows Server 2003 (32-bit).

Using VS 2010 Express, on the Windows Server 2003, I found the following with
v1.8.4:
When I traced through the selection of a frame in the top window it looks like
it is in the GTK. Specifically, the call in function add_byte_tab() in
main_proto_draw.c (line 763 in v1.8.4): gtk_container_get(...) increases memory
usage in Wireshark by 164K bytes under Windows Server 2003, but only 4K bytes
under Windows XP. This was moving from 1st to 2nd frame of a captured file.  As
far as I can tell, all the other memory allocation occurs outside of the
Wireshark.exe, either before or after it is called from the GTK.


You are receiving this mail because:
  • You are watching all bug changes.