Wireshark GUI eats huge amount of memory while capturing packets and displaying results. Frequently the wireshark.exe application crash with error: “Runtime Error! The Application has requested that the Runtime to Terminate it in an unusual way. Please contact support….

Eventually you may try to decrease the amount of memory consumed during a capture by unselecting following options:

-Update list of packets in real time.
-Automatic scrolling in live capture.

However it is still not very reliable on older machines. Instead of Wireshark you may consider using dumpcap (dumpcap.exe gets installed together with Wireshark)

Example usage:

CD C:\Program Files\Wireshark
 dumpcap -D (Prints list of interfaces and exits)
 C:\Program Files\Wireshark>dumpcap -D

Result:

1. \Device\NPF_{4478BA44-4790-4BF0-A934-A53D499095F9} (VMware Accelerated AMD PC
 Net Adapter (Microsoft's Packet Scheduler) )
2. \Device\NPF_{11955CA9-B77F-4B75-8E3D-0B8021B7DE5B} (VMware Accelerated AMD PC
 Net Adapter (Microsoft's Packet Scheduler) )

Start capture on first interface:

dumpcap -i \Device\NPF_{4478BA44-4790-4BF0-A934-A53D499095F9} -b filesize:102400 -a files:2 -w c:\dump\capture.cap

Start capture on both interfaces:

dumpcap -i \Device\NPF_{4478BA44-4790-4BF0-A934-A53D499095F9} -i \Device\NPF_{11955CA9-B77F-4B75-8E3D-0B8021B7DE5B} -t -b filesize:102400 -a files:2 -w c:\dump\capture.cap

Note: The capture will automatically ends up after filling 2 files of 100 MB size.

Additional information:

dumpcap –help (prints help. Use it to display all available parameters)

Ref: http://www.wireshark.org/docs/man-pages/dumpcap.html

Kind Regards,
Witold Lawacz (Ławacz)