Wireshark-dev: Re: [Wireshark-dev] Wireshark 0.99.4 totally hangs XP Pro SP2

From: Ian <ianc.uk@xxxxxxxxx>
Date: Sun, 7 Jan 2007 02:26:50 +0000
On 1/6/07, Ulf Lamping < ulf.lamping@xxxxxx> wrote:

>
> Ian wrote:
> > I'm a Wireshark user and not a member of this list, so apologies if
> > posting as a non-member is inappropriate. I will subscribe to the list
> > if needs be.
> >
> > I have a problem capturing on Windows XP. I'm running Wireshark 0.99.4
> > installed using the Windows Installer package from wireshark.org
> > < http://wireshark.org>.
> >
> > I'm using Windows XP Pro SP2 with all patches installed. I have tried
> > completely removing Wireshark & WinPcap, doing a double reboot, and
> > reinstalling but the problem remains. It is the very same issue
> > reported over 12 months ago here (
> > http://www.ethereal.com/lists/ethereal-users/200512/msg00091.html). I
> > also had that very same problem with Ethereal which is why I updated
> > to the latest Wireshark release. WinDump works fine allowing me to
> > start multiple captures one of the other.
> >
> > I get a 50:50 chance of a hang when I start capturing. If the first
> > capture works the second (so far) has always failed. I have updated to
> > the latest NIC drivers and that hasn't fixed the problem.
> >
> > My system details are XP Pro SP2, HAL Version=" 5.1.2600.2180
> > (xpsp_sp2_rtm.040803-2158)"
> > NIC=ASUSTeK/Broadcom 440x 10/100 Integrated Controller - driver
> > bcm4sbxp.sys V4.47
> > I do have a Cisco VPN client V4.0.4(B) and Microsoft Virtual PC 2004
> > installed, but Ethereal has been working in the past with these
> > products without any problems.
> >
> > The fact that WinDump works OK would seem to lead one to think that
> > the problem lies somewhere within Wireshark and that is also what the
> > WinPcap FAQ's state. However the fact that the whole machine freezes
> > (mouse cursor stops moving, keyboard CapLock, NumLock, ScrollLock keys
> > no longer toggle the LED's and the reset button is the only option)
> > would seem to suggest that the problem in fact lies within a driver
> > somewhere. Maybe Wireshark is passing bad data to the WinPcap driver?
> >
> > Does anyone have any suggestions as to what I might try next?
> >
> > Many thanks
> > Ian
> Thanks for this detailed report - it's helpful to get the right
> information with the first mail ;-)
>
> First of all, this is a bug related to WinPcap, as this is the place
> where the system hangs (only a driver can freeze the system). Wireshark
> may trigger this bug somehow, but it's really related to WinPcap and
> have to be fixed there.
>
> I guess this is a combination of WinPcap with the Cisco VPN client, as
> there are other related problems with it, see:
>  http://wiki.wireshark.org/CaptureSetup/InterferingSoftware
>
> You may first try to install WinPcap 4.0 beta 3 from
> http://www.winpcap.org/, maybe your problem has already been fixed. If
> not, try to disable the VPN client - and if doesn't help try to
> deinstall it.
>
> I'm running Virtual PC myself without any problems, so it's probably not
> the cause of the problem - but who nows!
>
> If the problems remain even with the latest WinPcap beta, please report
> it to the WinPcap developers (and please report if the problem was
> solved also here) ...
>
> Regards, ULFL
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev


Since I need the Cisco VPN when I work from home, I was a bit
reluctant to remove it in case I was unable to get it working again.
So I disabled the Deterministic Network Enhancer Miniport driver (DNE)
used by VPN software and the Cisco VPN Service (cvpnd) rather than
remove it. I then removed the Deterministic Network Enhancer bindings
from the the LAN connection properties and rebooted.

Wireshark still hung the machine!

I forgot to mention in my first post that I was using Kerio Personal
Firewall, but its an old version 2.1.5 and I have been using it for
years and Ethereal never had trouble with it before so i never really
considered it might be the problem this time. So just to be sure it
wasn't the firewall I disabled the Kerio Firewall driver (fwdrv) and
the Kerio Firewall service (PersFW), and once again rebooted. This
time Wireshark worked OK and I was able to start 6 or more captures
one after the other without any problems at all.

I re-enabled Kerio once again and rebooted. Then tried Wireshark again
and it hung on the first capture. On the next reboot I removed WinPcap
and installed 4.0 beta 3, and rebooted. Wireshark still hangs with the
new beta version so the problem is not yet fixed.

I will post a bug report to WinPCap.org

Thanks
Ian