THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question

Revision history  [back]

Revision 4
grahamb's avatar
23.8k
grahamb
updated 2022-08-12 15:40:01 +0000

Looking at my Wireshark profile, it seems that I asked about this last year, and there were some suggestions that I never followed up.

The PC has Avast Free Antivirus (22.6.6022 (build 22.6.7355.740) with virus definitions 220812-2) - so it's up-to-date.

I tried deleting the contents of the C:\Users\Martin\AppData\Roaming\Wireshark folder (with Wireshark and Dumpcap not running). Doing this made no difference to the hanging of Wireshark when a capture was started.

I tried manually starting dumpcap (from non-run-as-administrator CMD, cd "\program files\wireshark"):

dumpcap -v

Dumpcap (Wireshark) 3.6.7 (v3.6.7-0-g4a304d7ec222)

and

dumpcap -D

1. \Device\NPF_{DF4A9D2C-8742-4EB1-8703-D395C4183F33} (Local Area Connection* 4)
2. \Device\NPF_{E43D242B-9EAB-4626-A952-46649FBB939A} (Local Area Connection* 3)
3. \Device\NPF_{71F897D7-EB7C-4D8D-89DB-AC80D9DD2270} (Local Area Connection*)
4. \Device\NPF_{78032B7E-4968-42D3-9F37-287EA86C0AAA} (Local Area Connection* 10)
5. \Device\NPF_{8E301A52-AFFA-4F49-B9CA-C79096A1A056} (Local Area Connection* 5)
6. \Device\NPF_{8011C418-7680-4E0D-8DBE-6BBDB69009A0} (Local Area Connection)
7. \Device\NPF_{3F48FD02-D951-4DD8-BD3F-1F3457AA0890} (Local Area Connection 2)
8. \Device\NPF_Loopback (Adapter for loopback traffic capture)
9. \Device\NPF_{DCCFA951-E2BD-46E7-858D-FB42390694AE} (Local Area Connection* 2)

Option 6 "Local Area Connection" is the one that has an IP address bound to it and displays a graph next to it in the opening screen of Wireshark

dumpcap -i 6 -w - | wireshark -k -i -

Seems to work OK - I get a live capture and display of packets which I can stop and Wireshark remains responsive. OK, the dumpcap process carries on running and needs to be killed. but that's no hardship...

The output of the command (in the CMD window) is

(wireshark:14640) 14:44:24.240736 [GUI WARNING] -- Unable to open default EU
DC font: "C:\\Windows\\FONTS\\EUDC.TTE"
Capturing on 'Local Area Connection'
File: -
Packets: 24  (wireshark:14640) 14:44:26.926890 [Capture MESSAGE] -- Capture Start ...
Packets: 30  (wireshark:14640) 14:44:27.204906 [Capture MESSAGE] -- Capture started
(wireshark:14640) 14:44:27.204906 [Capture MESSAGE] -- File: "C:\Users\Martin\AppData\Local\Temp\wireshark_-88RSQ1.pcapng"
Packets: 368  (wireshark:14640) 14:44:45.484952 [Capture MESSAGE] -- Capture
Stop ...
(wireshark:14640) 14:44:45.655961 [Capture MESSAGE] -- Capture stopped.
Packets: 373

So dumpcap is running OK and is communicating with the wireshark UI process OK if it is started explicitly, but not if it is started automatically by Wireshark.

Is that warning about the missing C:\Windows\FONTS\EUDC.TTE file something to worry about? The file doesn't exist either on a Windows 10 PC which runs Wireshark fine, though the error message isn't displayed from the dumpcap -i 6 -w - | wireshark -k -i - command.

One difference between the Win7 and Win 10 PCs is that the Win10 doesn't have device "Local Area Connection" (without a number suffix) and has a device "Ethernet" instead which is the one which has the IP address bound to it and which I use for capturing (either from Wireshark normally, or from command line in this diagnostic test).

Is this a Win7/Win10 funny, or is the absence of "Ethernet" on Win 7 cause for concern?

Revision 3
grahamb's avatar
23.8k
grahamb
updated 2022-08-12 15:39:17 +0000

Looking at my Wireshark profile, it seems that I asked about this last year, and there were some suggestions that I never followed up.

The PC has Avast Free Antivirus (22.6.6022 (build 22.6.7355.740) with virus definitions 220812-2) - so it's up-to-date.

I tried deleting the contents of the C:\Users\Martin\AppData\Roaming\Wireshark folder (with Wireshark and Dumpcap not running). Doing this made no difference to the hanging of Wireshark when a capture was started.

I tried manually starting dumpcap (from non-run-as-administrator CMD, cd "\program files\wireshark"):

dumpcap -v

Dumpcap (Wireshark) 3.6.7 (v3.6.7-0-g4a304d7ec222)

and

dumpcap -D

1. \Device\NPF_{DF4A9D2C-8742-4EB1-8703-D395C4183F33} (Local Area Connection* 4)
2. \Device\NPF_{E43D242B-9EAB-4626-A952-46649FBB939A} (Local Area Connection* 3)
3. \Device\NPF_{71F897D7-EB7C-4D8D-89DB-AC80D9DD2270} (Local Area Connection*)
4. \Device\NPF_{78032B7E-4968-42D3-9F37-287EA86C0AAA} (Local Area Connection* 10)
5. \Device\NPF_{8E301A52-AFFA-4F49-B9CA-C79096A1A056} (Local Area Connection* 5)
6. \Device\NPF_{8011C418-7680-4E0D-8DBE-6BBDB69009A0} (Local Area Connection)
7. \Device\NPF_{3F48FD02-D951-4DD8-BD3F-1F3457AA0890} (Local Area Connection 2)
8. \Device\NPF_Loopback (Adapter for loopback traffic capture)
9. \Device\NPF_{DCCFA951-E2BD-46E7-858D-FB42390694AE} (Local Area Connection* 2)

Option 6 "Local Area Connection" is the one that has an IP address bound to it and displays a graph next to it in the opening screen of Wireshark

dumpcap -i 6 -w - | wireshark -k -i -

Seems to work OK - I get a live capture and display of packets which I can stop and Wireshark remains responsive. OK, the dumpcap process carries on running and needs to be killed. but that's no hardship...

The output of the command (in the CMD window) is

(wireshark:14640) 14:44:24.240736 [GUI WARNING] -- Unable to open default EU
DC font: "C:\\Windows\\FONTS\\EUDC.TTE"
Capturing on 'Local Area Connection'
File: -
Packets: 24  (wireshark:14640) 14:44:26.926890 [Capture MESSAGE] -- Capture Start ...
Packets: 30  (wireshark:14640) 14:44:27.204906 [Capture MESSAGE] -- Capture started
(wireshark:14640) 14:44:27.204906 [Capture MESSAGE] -- File: "C:\Users\Martin\AppData\Local\Temp\wireshark_-88RSQ1.pcapng"
Packets: 368  (wireshark:14640) 14:44:45.484952 [Capture MESSAGE] -- Capture
Stop ...
(wireshark:14640) 14:44:45.655961 [Capture MESSAGE] -- Capture stopped.
Packets: 373

So dumpcap is running OK and is communicating with the wireshark UI process OK if it is started explicitly, but not if it is started automatically by Wireshark.

Is that warning about the missing C:\Windows\FONTS\EUDC.TTE file something to worry about? The file doesn't exist either on a Windows 10 PC which runs Wireshark fine, though the error message isn't displayed from the dumpcap -i 6 -w - | wireshark -k -i - command.

One difference between the Win7 and Win 10 PCs is that the Win10 doesn't have device "Local Area Connection" (without a number suffix) and has a device "Ethernet" instead which is the one which has the IP address bound to it and which I use for capturing (either from Wireshark normally, or from command line in this diagnostic test).

Is this a Win7/Win10 funny, or is the absence of "Ethernet" on Win 7 cause for concern?

Revision 2
martinu's avatar
1
martinu
updated 2022-08-12 14:14:13 +0000

Looking at my Wireshark profile, it seems that I asked about this last year, and there were some suggestions that I never followed up.

The PC has Avast Free Antivirus (22.6.6022 (build 22.6.7355.740) with virus definitions 220812-2) - so it's up-to-date.

I tried deleting the contents of the C:\Users\Martin\AppData\Roaming\Wireshark folder (with Wireshark and Dumpcap not running). Doing this made no difference to the hanging of Wireshark when a capture was started.

I tried manually starting dumpcap (from non-run-as-administrator CMD, cd "\program files\wireshark"):

dumpcap -v


     
  • dumpcap -v
    •  
 
Dumpcap (Wireshark) 3.6.7 (v3.6.7-0-g4a304d7ec222)

and

dumpcap -D

1. (v3.6.7-0-g4a304d7ec222)
 
     
  • dumpcap -D
    •  
 
     
  1. \Device\NPF_{DF4A9D2C-8742-4EB1-8703-D395C4183F33} (Local Area Connection* 4)
2. 4)
    2.  
  2. \Device\NPF_{E43D242B-9EAB-4626-A952-46649FBB939A} (Local Area Connection* 3)
3. 3)
    3.  
  3. \Device\NPF_{71F897D7-EB7C-4D8D-89DB-AC80D9DD2270} (Local Area Connection*)
4. Connection*)
    4.  
  4. \Device\NPF_{78032B7E-4968-42D3-9F37-287EA86C0AAA} (Local Area Connection* 10)
5. 10)
    5.  
  5. \Device\NPF_{8E301A52-AFFA-4F49-B9CA-C79096A1A056} (Local Area Connection* 5)
6. 5)
    6.  
  6. \Device\NPF_{8011C418-7680-4E0D-8DBE-6BBDB69009A0} (Local Area Connection)
7. Connection)
    7.  
  7. \Device\NPF_{3F48FD02-D951-4DD8-BD3F-1F3457AA0890} (Local Area Connection 2)
8. 2)
    8.  
  8. \Device\NPF_Loopback (Adapter for loopback traffic capture)
9. capture)
    9.  
  9. \Device\NPF_{DCCFA951-E2BD-46E7-858D-FB42390694AE} (Local Area Connection* 2)
2)

Option 6 "Local Area Connection" is the one that has an IP address bound to it and displays a graph next to it in the opening screen of Wireshark

dumpcap -i 6 -w - | wireshark -k -i -

Seems to work OK - I get a live capture and display of packets which I can stop and Wireshark remains responsive. OK, the dumpcap process carries on running and needs to be killed. but that's no hardship...

The output of the command (in the CMD window) is

(wireshark:14640) 14:44:24.240736 [GUI WARNING] -- Unable to open default EU
DC font: "C:\\Windows\\FONTS\\EUDC.TTE"
Capturing on 'Local Area Connection'
File: -
Packets: 24  (wireshark:14640) 14:44:26.926890 [Capture MESSAGE] -- Capture Start ...
Packets: 30  (wireshark:14640) 14:44:27.204906 [Capture MESSAGE] -- Capture started
(wireshark:14640) 14:44:27.204906 [Capture MESSAGE] -- File: "C:\Users\Martin\AppData\Local\Temp\wireshark_-88RSQ1.pcapng"
Packets: 368  (wireshark:14640) 14:44:45.484952 [Capture MESSAGE] -- Capture
Stop ...
(wireshark:14640) 14:44:45.655961 [Capture MESSAGE] -- Capture stopped.
Packets: 373

So dumpcap is running OK and is communicating with the wireshark UI process OK if it is started explicitly, but not if it is started automatically by Wireshark.

Is that warning about the missing C:\Windows\FONTS\EUDC.TTE file something to worry about? The file doesn't exist either on a Windows 10 PC which runs Wireshark fine, though the error message isn't displayed from the

  • dumpcap -i 6 -w - | wireshark -k -i -

Seems to work OK - I get a live capture and display of packets which I can stop and Wireshark remains responsive. OK, the dumpcap process carries on running and needs to be killed. but that's no hardship...

The output of the command (in the CMD window) is

* (wireshark:14640) 14:44:24.240736 [GUI WARNING] -- Unable to open default EU DC font: "C:\Windows\FONTS\EUDC.TTE" Capturing on 'Local Area Connection' File: - Packets: 24 * (wireshark:14640) 14:44:26.926890 [Capture MESSAGE] -- Capture S tart ... Packets: 30 * (wireshark:14640) 14:44:27.204906 [Capture MESSAGE] -- Capture s tarted * (wireshark:14640) 14:44:27.204906 [Capture MESSAGE] -- File: "C:\Users\Marti n\AppData\Local\Temp\wireshark_-88RSQ1.pcapng" Packets: 368 * (wireshark:14640) 14:44:45.484952 [Capture MESSAGE] -- Capture Stop ... * (wireshark:14640) 14:44:45.655961 [Capture MESSAGE] -- Capture stopped. Packets: 373

So dumpcap is running OK and is communicating with the wireshark UI process OK if it is started explicitly, but not if it is started automatically by Wireshark.

Is that warning about the missing C:\Windows\FONTS\EUDC.TTE file something to worry about? The file doesn't exist either on a Windows 10 PC which runs Wireshark fine, though the error message isn't displayed from the dumpcap -i 6 -w - | wireshark -k -i - command.

One difference between the Win7 and Win 10 PCs is that the Win10 doesn't have device "Local Area Connection" (without a number suffix) and has a device "Ethernet" instead which is the one which has the IP address bound to it and which I use for capturing (either from Wireshark normally, or from command line in this diagnostic test).

Is this a Win7/Win10 funny, or is the absence of "Ethernet" on Win 7 cause for concern?

Revision 1
martinu's avatar
1
martinu
answered 2022-08-12 14:13:17 +0000

Looking at my Wireshark profile, it seems that I asked about this last year, and there were some suggestions that I never followed up.

The PC has Avast Free Antivirus (22.6.6022 (build 22.6.7355.740) with virus definitions 220812-2) - so it's up-to-date.

I tried deleting the contents of the C:\Users\Martin\AppData\Roaming\Wireshark folder (with Wireshark and Dumpcap not running). Doing this made no difference to the hanging of Wireshark when a capture was started.running).

I tried manually starting dumpcap (from non-run-as-administrator CMD, cd "\program files\wireshark"):

  • dumpcap -v

Dumpcap (Wireshark) 3.6.7 (v3.6.7-0-g4a304d7ec222)

  • dumpcap -D
  1. \Device\NPF_{DF4A9D2C-8742-4EB1-8703-D395C4183F33} (Local Area Connection* 4)
  2. \Device\NPF_{E43D242B-9EAB-4626-A952-46649FBB939A} (Local Area Connection* 3)
  3. \Device\NPF_{71F897D7-EB7C-4D8D-89DB-AC80D9DD2270} (Local Area Connection*)
  4. \Device\NPF_{78032B7E-4968-42D3-9F37-287EA86C0AAA} (Local Area Connection* 10)
  5. \Device\NPF_{8E301A52-AFFA-4F49-B9CA-C79096A1A056} (Local Area Connection* 5)
  6. \Device\NPF_{8011C418-7680-4E0D-8DBE-6BBDB69009A0} (Local Area Connection)
  7. \Device\NPF_{3F48FD02-D951-4DD8-BD3F-1F3457AA0890} (Local Area Connection 2)
  8. \Device\NPF_Loopback (Adapter for loopback traffic capture)
  9. \Device\NPF_{DCCFA951-E2BD-46E7-858D-FB42390694AE} (Local Area Connection* 2)

Option 6 "Local Area Connection" is the one that has an IP address bound to it and displays a graph next to it in the opening screen of Wireshark

  • dumpcap -i 6 -w - | wireshark -k -i -

Seems to work OK - I get a live capture and display of packets which I can stop and Wireshark remains responsive. OK, the dumpcap process carries on running and needs to be killed. but that's no hardship...

The output of the command (in the CMD window) is

* (wireshark:14640) 14:44:24.240736 [GUI WARNING] -- Unable to open default EU DC font: "C:\Windows\FONTS\EUDC.TTE" Capturing on 'Local Area Connection' File: - Packets: 24 * (wireshark:14640) 14:44:26.926890 [Capture MESSAGE] -- Capture S tart ... Packets: 30 * (wireshark:14640) 14:44:27.204906 [Capture MESSAGE] -- Capture s tarted * (wireshark:14640) 14:44:27.204906 [Capture MESSAGE] -- File: "C:\Users\Marti n\AppData\Local\Temp\wireshark_-88RSQ1.pcapng" Packets: 368 * (wireshark:14640) 14:44:45.484952 [Capture MESSAGE] -- Capture Stop ... * (wireshark:14640) 14:44:45.655961 [Capture MESSAGE] -- Capture stopped. Packets: 373

So dumpcap is running OK and is communicating with the wireshark UI process OK if it is started explicitly, but not if it is started automatically by Wireshark.

Is that warning about the missing C:\Windows\FONTS\EUDC.TTE file something to worry about? The file doesn't exist either on a Windows 10 PC which runs Wireshark fine, though the error message isn't displayed from the dumpcap -i 6 -w - | wireshark -k -i - command.

One difference between the Win7 and Win 10 PCs is that the Win10 doesn't have device "Local Area Connection" (without a number suffix) and has a device "Ethernet" instead which is the one which has the IP address bound to it and which I use for capturing (either from Wireshark normally, or from command line in this diagnostic test). Is this a Win7/Win10 funny, or is the absence of "Ethernet" on Win 7 cause for concern?