First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Can't install Wireshark 2.4.3

  • retag add tags

I have been trying to install Wireshark 2.4.3 on Windows Server 2008 for several days with no success. Every time I start the install, I immediately receive the following message: Wireshark or one of its associated programs is running. Please close it first.

There are no other Wireshark programs installed. I have tried several solutions.

  1. Verified there were no processes or services related to Wireshark, Tshark or WinPcap. Dumpcap, or USBPcapCMD.exe
  2. Searched the entire hard drive and registry for any instances of
  3. Rebooted server
  4. Verified that there is no NPF (Network Packet Filter) 'device' in device manager under hidden devices.
  5. searched hard drive and registry for "Packet.dll"

What is the solution to install Wireshark under these conditions?

MrScott1968's avatar
1
MrScott1968
asked 2018-01-16 14:57:32 +0000
Jaap's avatar
13.7k
Jaap
updated 2018-01-16 15:50:04 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

The message is generated by the Wireshark installer and is nothing to do with WinPcap or USBPcap.

The program named in the message is the one causing the issue. The installer attempts to open a mutex that is hard-coded into the Wireshark executable, and if it can, that indicates a copy of Wireshark is running somewhere, or at least a process has created the "Wireshark" mutex.

To find the errant process, you need to install a tool that can search for mutexes. I use Process Explorer, run it as Administrator, from the menu choose "Find", then "Find Handle or DLL..." and in the substring field enter Wireshark-is-running-{9CA78EEA-EA4D-4490-9240-FC01FCEF464B} and click "Search".

Hopefully the display will eventually update to show you the process with the mutex. Each Wireshark process creates 2 copies of the process, one for the user session and one global for the whole machine. You can double click on the process to make the main display highlight the process which you can then terminate by hitting Delete or right-clicking the process and choosing "Kill" from the menu.

Please report back if you find anything running, especially if it's a process named other than Wireshark.

grahamb's avatar
23.8k
grahamb
answered 2018-01-16 15:33:22 +0000, updated 2018-01-24 16:11:31 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I am not allowed to use Process Explorer on our network. We are able to use Process Monitor. I don't know if that will allow me to do the same as Process Explorer, but that is my next step.

MrScott1968's avatar MrScott1968 (2018-01-17 21:30:48 +0000) edit
more
  • delete

Odd that you can use ProcMon from SysInternals (MS), but not ProcExp from SysInternals (MS).

Nope, ProcMon won't help. I'm not aware of any other tools that can list the mutexes along with the associated process.

grahamb's avatar grahamb (2018-01-18 11:17:38 +0000) edit
more
  • delete

I finally installed Process Explorer. There is no {Wireshark-is-running-{9CA78EEA-EA4D-4490-9240-FC01FCEF464B} found when I do a search. I also searched for Wireshark alone and looked through the entire list of processes and there is nothing there.

MrScott1968's avatar MrScott1968 (2018-01-24 16:01:01 +0000) edit
more
  • delete

Were you running Process Explorer as an Administrator, if not try that (if possible)?

If you are, I'm not sure what's happening then.

The only thing I can think of is to try to ensure the installer is run with elevated privileges. Can you try to right-click the installer and choose "Run as Administrator"?

grahamb's avatar grahamb (2018-01-24 16:15:12 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer