THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Tshark crashes if I run it after changing the default interface (in Wireshark)

I don't want tshark.exe to default capturing on "Local Area Connection 7", I want it to capture on "Ethernet". The problem is that every time i change the default interface (in Wireshark) to "Ethernet", tshark.exe just closes immediately after I open it. I have tried hiding the connections but it still starts capturing on Local Area Connection 7... Is there a way of deleting that connection or make tshark.exe to capture on "Ethernet" without crashing?

NickTsl's avatar
1
NickTsl
asked 2020-05-28 22:18:25 +0000
Jaap's avatar
13.7k
Jaap
updated 2020-05-29 11:01:45 +0000
edit flag offensive 0 remove flag close merge delete

Comments

How did you change Ethernet to be default and what happens when shark exits?

$ tshark -D
1. \Device\NPF_{xxxx-xxxx-xxx-xxx} (Local Area Connection* 10)
2. \Device\NPF_{xxxx-xxxx-xxx-xxx} (Local Area Connection* 9)
3. \Device\NPF_{xxxx-xxxx-xxx-xxx} (Local Area Connection* 8)
4. \Device\NPF_{xxxx-xxxx-xxx-xxx} (Ethernet)
5. \Device\NPF_Loopback (Adapter for loopback traffic capture)
6. \Device\NPF_{xxxx-xxxx-xxx-xxx} (Local Area Connection)
7. ciscodump (Cisco remote capture)
8. randpkt (Random packet generator)
9. sshdump (SSH remote capture)
10. udpdump (UDP Listener remote capture)

$ tshark
Capturing on 'Local Area Connection* 10'
0 packets captured

$ tshark -i 4
Capturing on 'Ethernet'
Chuckc's avatar Chuckc (2020-05-29 01:41:19 +0000) edit
more
  • delete

From Wireshark>Edit>Preferences>Capture>Default Interface and i put it to Ethernet. When i run tshark.exe then for a split second everything is normal and it manages to capture 1-2 packets before it immediately closes. That's all

NickTsl's avatar NickTsl (2020-05-29 10:34:04 +0000) edit
more
  • delete

So it doesn't close immediately, as it manages to capture a few packets.

You say you "open" tshark.exe; do you mean you run it from the command line, as per @bubbasnmp's eample, or do you mean you double-click it in Windows Explorer?

Guy Harris's avatar Guy Harris (2020-05-29 22:34:52 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Seems to be a bug in that dialog, for Windows at least.

On my (Win 10) system I can enter any of the 3 options below in the Default Interface field using the list provided in the comment by @bubbasnmp as an example. Your system may be different.

  • The interface index e.g. for Ethernet it's "4"
  • The interface friendly name, e.g. "Ethernet"
  • The device name, e.g. "\Device\NPF_{xxxx-xxxx-xxx-xxx}"

Entering the combination of the friendly name and device in parethensis as is done by the droplist fails.

A bug for this should be raised on the Wireshark Bugzilla.

grahamb's avatar
23.8k
grahamb
answered 2020-05-29 12:04:03 +0000, updated 2020-05-29 13:16:28 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Never mind, i just disabled Local Area Connection7 from device manager. Wasn't something crucial I guess. Now it starts capturing on Ethernet by default. Thanks anyway

NickTsl's avatar NickTsl (2020-05-29 13:15:27 +0000) edit
more
  • delete

Wasn't something crucial

If it just stops with no message, that sounds like a crashing bug, which is always critical, even if you can work around it - somebody else might see it and have to work around it.

I'm seeing a different problem if I select "Ethernet0" as the default device on Windows 10; I've filed that as bug 16593.

Guy Harris's avatar Guy Harris (2020-05-29 22:31:04 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer