Wireshark-dev: Re: [Wireshark-dev] Building Wireshark on Windows

From: David Ameiss <netshark@xxxxxxxxxxxxx>
Date: Thu, 15 Nov 2012 09:31:22 -0600
Interesting. From the official 1.8.2 64-bit release:

==========
Microsoft (R) COFF/PE Dumper Version 9.00.21022.08
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file c:\program files\wireshark\wireshark.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
            8664 machine (x64)
               6 number of sections
        502BCA0F time date stamp Wed Aug 15 11:10:55 2012
               0 file pointer to symbol table
               0 number of symbols
              F0 size of optional header
              22 characteristics
                   Executable
                   Application can handle large (>2GB) addresses

OPTIONAL HEADER VALUES
             20B magic # (PE32+)
           10.00 linker version
          196600 size of code
          188600 size of initialized data
               0 size of uninitialized data
          195120 entry point (0000000140195120)
            1000 base of code
       140000000 image base (0000000140000000 to 0000000140322FFF)
            1000 section alignment
             200 file alignment
            5.02 operating system version
            0.00 image version
            5.02 subsystem version
               0 Win32 version
          323000 size of image
             400 size of headers
          30BE6E checksum
               2 subsystem (Windows GUI)
            8140 DLL characteristics
                   Dynamic base
                   NX compatible
                   Terminal Server Aware
          100000 size of stack reserve
            1000 size of stack commit
          100000 size of heap reserve
            1000 size of heap commit
               0 loader flags
              10 number of directories
==========

And from my local build based on 1.8.2:

==========
Microsoft (R) COFF/PE Dumper Version 9.00.21022.08
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file c:\program files\wireshark\wireshark.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
            8664 machine (x64)
               6 number of sections
        50A2870D time date stamp Tue Nov 13 11:44:45 2012
               0 file pointer to symbol table
               0 number of symbols
              F0 size of optional header
              22 characteristics
                   Executable
                   Application can handle large (>2GB) addresses

OPTIONAL HEADER VALUES
             20B magic # (PE32+)
           10.00 linker version
          199800 size of code
          18A000 size of initialized data
               0 size of uninitialized data
          198260 entry point (0000000140198260)
            1000 base of code
       140000000 image base (0000000140000000 to 0000000140326FFF)
            1000 section alignment
             200 file alignment
            6.01 operating system version
            0.00 image version
            6.01 subsystem version
               0 Win32 version
          327000 size of image
             400 size of headers
               0 checksum
               2 subsystem (Windows GUI)
            8140 DLL characteristics
                   Dynamic base
                   NX compatible
                   Terminal Server Aware
          100000 size of stack reserve
            1000 size of stack commit
          100000 size of heap reserve
            1000 size of heap commit
               0 loader flags
              10 number of directories
==========

The differences appear to be "operating system version" (5.02 for official, 6.01 for local) and "subsystem version" (same values). I would imagine that would at least contribute to the problem.

But I'm not sure how to correct it.


On Nov 15, 2012, at 3:38 AM, Graham Bloice <graham.bloice@xxxxxxxxxxxxx> wrote:


On 14 November 2012 20:14, David Ameiss <netshark@xxxxxxxxxxxxx> wrote:
Building the 32-bit version of Wireshark in the same environment (Windows 7, VS2010EE), the resulting Wireshark.exe runs correctly on Vista.

So now I'm starting to think either (a) VS2010EE 64-bit executables can only be run on Windows 7 [at least if built on Windows 7], or (b) my setup for building 64-bit on Windows 7 isn't quite correct. And since the 64-bit Wireshark runs just fine on Windows 7, I'm leaning toward (a) above.

My understanding is that the Wireshark build machine for 64-bit is using VS2010, not VS2010EE. Is that correct?


The missing IESHIMS.DLL isn't an issue, I think it's some sort of compatibility dll that I've noticed depends always reports as missing.

What does the output of "dumpbin /headers path\to\your\wireshark\exectuable" look like for the version that doesn't work.  The interesting bit is the first part of the output, the section headers bits aren't much use in this case.

What I would like to see is the pe header windows target.