ring buffer crash when tshark gets too far behind dumpcap

This issue was migrated from bug 9258 in our old bug tracker.

Original bug information:

Reporter: hoa…@‍gma…
Status: RESOLVED FIXED
Product: Wireshark
Component: TShark
OS: Windows 7
Platform: x86-64
Version: 1.10.1

See also: Issue #3333 (closed)

hoa…@‍gma… said:

Build Information:

Happens in both of version for user and developer ; both of Windows and Linux.

---

• Tshark always generates core dump if using both of 2 options: "-P" and "-w".

• For example: tshark -i 5 -P -w /tmp/oh.pcap -b filesize:1 -b files:5.

• Even we increase the filesize: 65535, maybe it takes more time but the problem still happens.

• The error message:
  "tshark: The file "/tmp/oh_00035_20131009165554.pcap" doesn't exist.
  Segmentation fault (core dumped)".

• Possible reason: the current file which was dissecting was deleted, so I think maybe because the speed of dissector is less than the speed of dumpcap.

added clitshark crash oswindows version1.10 labels

Jeff Morriss said:

*** This bug has been marked as a duplicate of bug #1650 ***

Jeff Morriss said:

Hmmm, looks like I jumped the gun. The seg-fault shouldn't be there. And it does seem to happen even at fairly low rates...

Jeff Morriss said:

The seg-fault is fixed in tshark in bcf51e81. Wireshark still has a problem, though.

But the root cause of this problem really is what's described in bug #1650: failure of the decoder to keep up with dumpcap's file rotation.

Jeff Morriss said:

I scheduled the tshark fix to be back-ported to 1.10.3 and 1.8.11. The Wireshark crash is more complicated, I'm not sure when I'll have time to finish looking at that.

hoa…@‍gma… said:

@‍Jeff Morriss: So, now if I download the code by svn from branch trunk-1.10, shall I have a fixed tshark?

Jeff Morriss said:

(In reply to #9258 (comment 400679046))

@Jeff Morriss: So, now if I download the code by svn from branch trunk-1.10, shall I have a fixed tshark?

Not yet. Normally non-critical fixes are back-ported by Gerald just before he does the release.

But if you download the trunk version from SVN you'll have the fix.

Do note, though, that it's only the fix for the core dump. tshark not keeping up with a dumpcap (and thus eventually reporting "file doesn't exist") is a fundamental problem described in bug #1650 (and not fixed yet).

Jeff Morriss said:

OK, I just found the very old bug #3333 (closed) which is this same seg-fault problem for the GUI. So:

1. this bug fixes the seg-fault in tshark
2. bug #3333 (closed) will fix the similar but different seg-fault in wireshark
3. bug #1650 describes the overall problem of *shark getting ahead of dumpcap's ring buffer

Closing this one as fixed (and fixing the Synopsis to better describe the problem).

closed