USBCap freezes Wireshark on launch in Win10 #50
Comments
|
I am not able to reproduce this issue neither on my home laptop running Windows 10 Home nor on my work laptop running Windows 10 Enterprise. Could you please try executing: |
|
C:\Program Files\Wireshark\extcap>USBPcapCMD.exe --extcap-config --extcap-interface . \USBPcap1 C:\Program Files\Wireshark\extcap>arg {number=0}{call=--snaplen}{display=Snapshot length}{tooltip=Snapshot length}{type=integer}{range=0,65535}{default=65535} hope this helps. |
|
@iansebryk and once it prints the "Couldn't open device - 5" (which is Access Denied) it does fall into endless loop? If yes, then atleast the endless loop itself can be fixed (not sure if it would be possible to actually list all the devices). I think, even if USBPcap wouldn't list the devices, but would allow other Wireshark functions to operate correctly, it would be much better than current situation. |
This is supposed to prevent Wireshark freeze when USBPcapCMD is used as extcap. Such freezes seem to happen in the wild, see github issue #50.
|
@iansebryk Could you please check if the latest USBPcapCMD build from AppVeyor is no longer causing Wireshark freeze on your computer? |
|
Related Wireshark bug is here: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14657 |
|
If this is the same issue as the Wireshark bug, then users have also seen this on Windows 8.1 and I believe Windows 7. |
|
This should be fixed in USBPcap 1.2.0.4 - this issue will get closed once I receive positive feedback from someone who experienced this problem with earlier USBPcap release. |
|
I just tested it with USBPcap 1.2.0.4 and at least for me this issue is not fixed. PS C:\Program Files\Wireshark\extcap> .\USBPcapCMD.exe --extcap-config --extcap-interface . \USBPcap1 EDIT: Just saw that USBPcapCMD in C:\Program Files\Wireshark\extcap was from 2017, so I replaced it with the version from the USBPcap directory but still the same error message ... |
|
Error 5 is Access Denied. This can happen if another USBPcapCMD instance has opened the USBPcap1. Did you write the interface properly as \\.\USBPcap1? It is really important that this starts with two backslashes, followed by a dot, and then another single backslash and finally "USBPcap1" (or whatever number, depending how many root hubs there are). So the command is: Does the interactive (without parameters) version of USBPcapCMD show the devices? Does it still freeze wireshark? |
|
Wireshark was frozen so I killed it via windows task manager. So I think the interface was not open anymore. |
|
When the USBPcapCMD freezes can you attach to it from a debugger and check where does it loop? In Visual Studio it can be done using Attach To Process option. The pdb file is in the usbpcap release source 7z archive. |
|
If you are unable to launch debugger, could you please send me (eg. via email) the user mode dump file of the frozen USBPcapCMD? This can be created using Windows builtin task manager. |
|
I will have to check If there is a visual studio license I can use, I am doing embedded development ... |
|
so it turns out, you were correct. I didn't use the correct interface name.
PS C:\Program Files\Wireshark\extcap> arg {number=0}{call=--snaplen}{display=Snapshot length}{tooltip=Snapshot length}{type=integer}{range=0,65535}{default=65535} EDIT: gnaah github seems to replace those |
|
Did the USBPcapCMD process freeze or exit (check if there is USBPcapCMD.exe visible in task manager)? The output looks just fine. If this USBPcapCMD.exe (when used as extcap) still freezes Wireshark on startup, please start Wireshark, wait for the freeze, wait reasonable amount of time (eg. 2 minutes), then create process dump (in Task Manager) and email me the file. |
|
Yes, USBPcapCMD.exe was visible in task manager when it had frozen this morning. |
|
So far the most plausible explanation is https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14657#c16 which means that it might not be a bug in USBPcapCMD after all. |
|
Ok, that comment of yours there makes sense. |
|
This problem should be fixed in Wireshark 2.6.3. Can anyone of the people who experienced this issue confirm that it is fixed? |
|
Unfortunately I am still experiencing this issue. Wireshark hangs for some time (order of minutes) on "Initializing external capture plugins," then finally starts up but becomes unresponsive if I try to capture on the USB interface or configure its settings. If I remove USBPcapCMD.exe from the extcap directory, Wireshark starts up as I would expect (minus the USB interfaces of course). I am running:
The Task Manager shows no CPU cycles for USBPcapCMD.exe or Wireshark while it is stalled on start. Running the command in PowerShell stated above ( I tried unplugging as many USB devices as I could and disabling Bluetooth to reduce the length of the output from the command line, but no luck. In both cases the last device listed before crash was:
Any suggestions? |
|
I realized I never tried running Wireshark after unplugging extra USB devices and disabling Bluetooth, and sure enough that fixed the issue and it runs properly now. So maybe there is still some issue related to the bug linked earlier (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14657#c16). It seems like too many devices (docks, hubs, etc) causes USBPcap to have a bad time on Windows. |
|
What do you mean by don't get back to command prompt? Note that USBPcapCMD is really a "gui application" simply to make it not open a window when you execute it from oher processes. This has downside that when you run it from command prompt, it'll still print to the command prompt window but that'll appear after the next prompt. In other words, simply press enter in the powershell and it should work just fine. As long as the process is no longer running and exit code was 0, everyhing is ok and there was no crash. The extcap commands are not really intended to be run from command prompt so it is how it works - note that the ineractive cmd window opens if you run USBPcapCMD from shell wihout any parameter. See https://stackoverflow.com/questions/10262231/obtaining-exitcode-using-start-process-and-waitforexit-instead-of-wait Can you try redirecting outputs of all usbpcap interface(s) to a file(s) and attaching that here? Ideally with the full set that causes freezing and the limited set. |
Sorry for the late reply, I was on vacations ... For me it is also not fixed, yet. |
|
Hi @desowin, "This has downside that when you run it from command prompt, it'll still print to the command prompt window but that'll appear after the next prompt. In other words, simply press enter in the powershell and it should work just fine." I was referring to PowerShell not dropping back to the command line after printing the output from USBPcapCMD.exe, but like you said the output appeared after the next prompt which I didn't notice, so I don't think there was an error exit code. I will try to capture the output of USBPcapCMD.exe today with my working and non-working system configurations and get you the dumps. |
|
Unfortunately I do not have administrator permissions to run PowerShell scripts on my work machine, so I wasn't able to capture the exit code. However, here are the outputs from In both cases I have Bluetooth disabled on my machine. The not working configuration has a 4-port USB hub connected to a Dell laptop dock, and the 4-port hub has 3 devices connected. The working configuration has the 4-port hub unplugged from the Dell laptop dock. Let me know if there's any other information I can provide to help with this. |
|
Looks like the devices from the USB hub are not listed. Is the USBPcapCMD still running after it prints the last line from the freeze log you posted? If it does, then that should explain the behavior that you wrote about the Wireshark eventually starting up. And if that's the case, please let it running for atleast the same amount of time it takes for Wireshark to get past the initializing external capture interfaces. Are there any lines printed later on if you let it running longer? Do you have only USBPcap1 in your system? Or do you have more? If there's more, can you include the extcap config for all of them? |
|
USBPcap1 is the only interface that appears when I start Wireshark in working and non-working configurations. According to the Task Manager, USBPcapCMD is no longer running after the output is printed; PowerShell and its Console Window Host show 0% CPU usage and USBPcapCMD is not in the "Apps" list. Is there somewhere else I need to look? In any case, no more lines print out from USBPcapCMD when I let it go for the same amount of time as it takes Wireshark to get past "Initializing external capture plugins". It appears that the 4-port hub itself is producing the issue. If I have the hub plugged in to my dock, with no devices attached to the hub, Wireshark hangs. The USBPcapCMD output in this configuration is attached, USBPcapCMD-hub.txt. Additionally if I plug the hub directly into my laptop's USB port rather than through the dock, Wireshark also hangs, output attached in USBPcapCMD-hub-direct-conn.txt. If I unplug the hub, Wireshark starts up right away, the output for this is in USBPCapCMD-no-hub.txt. Comparing diffs of the files shows that when the hub is connected to either PC or dock, the "Generic SuperSpeed USB Hub" gets printed twice at the end of the output, but differently: Connected to PC: Connected to HUB: So maybe something with having two Generic SuperSpeed USB Hubs? The 4-port hub shows as both a Generic USB Hub and Generic SuperSpeed USB Hub in the Device Manager. Its VID:PID for the Generic USB Hub are USBPcapCMD-direct-hub-conn.txt |
|
Can you find the hub in device manager when the grouping by connection (default is by type) is active? Can you include the screenshot of expanded device tree around this hub? |
|
@desowin my usb hubs do not show up in the device manager when the grouping by connection is active |
|
I have got the same issue with Bluetooth adapter on my laptop (Lenovo). After I had switched off it Wire shark started normally. |
|
So I guess I was wrong and the console weird behavior might be just a problem with redirection:
Also when debugging I noticed that in my case the first call to GlobalFree here seems to take a long time and that is what is causing the freeze. |
|
So how can we get this fixed? :( |
|
Does USBPcap 1.3.0.0 affect the freeze in any way? |
|
The debug build you sent me works for me :) EDIT: If you want me to retest with 1.3.0.0 installed, just let me know. |
|
So the problem (atleast when using USBPcap 1.2.0.4 or newer) is actually in how Wireshark reads extcap output. In releases older prior to Aug 16, 2018, it was a deadlock and in newer releases it is "just" a performance issue. |
|
Does not seem to work for me. |
|
@devcompl The version number being invalid in 1.3.0.0 release is a known bug. Fabian was referring to debug build of the Wireshark, as the problem seems to be indeed there. I'll create a review linked to the Wireshark bug, so if you anyone is interested please CC the Wireshark bug. |
|
@desowin Do you still want me to comment on the wireshark bugzilla link you sent me? |
|
@fabianbuettner Yes, I think it is good to have Wireshark related changes disscussed in Wireshark bug tracker. |
|
@desowin I am not really sure what I should add to the discussion there |
|
This turns out to have been a Wireshark issue. The potential mitigatins I have done in USBPcap probably don't hurt, but the issue is resolved by just fixing Wireshark. For more information please check:
|
|
I had this issue with wireshark 3.0.1, and found turning off bluetooth fixes it. |
|
First Wireshark release where this is fixed is 3.0.2. |
|
Wierd. I had WireShark 3.0.1 installed since this May. I hadn't used it for the last month, fired it up the other day to capture using USBPcap and it was working fine until at some point yesterday when it started to have a very long initialization startup period. This led me to this thread. I have now installed v3.1.0 dev and all is good again. I have v1.5.3.0 USBPcap installed. |
Wireshark flat out won't launch with USBCap installed. using latest version of both (2.6 & 1.2). when i looked at the process in ProcExp64, i noted that the path to USBCap has double slashes in the path (see screenshot). don't know what that means but USBCap flat out kills it. after removal, wireshark loads just fine. this is nae good.
which means all my external cap devices are useless. Win10 just sucks... ;(
The text was updated successfully, but these errors were encountered: