First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Why is TLS Decryption is MUCH slower on Windows 10 than MacOS?

  • retag add tags

My colleague has a Macbook Pro w/ i7 3.3Ghz w/ 2 cores & 16 GB RAM, while my windows 10 pro laptop has an i7 w/ 6 cores & 32GB RAM. We were using a PMS file to decrypt some HTTPS traffic, and his laptop decrypted an 800MB pcap in around 1 minute, while mine wasn't even 1% done after 4 min. I had another colleague test w/ a similar Windows 10 laptop with identical results.

Why is wireshark on Windows 10 so slow at decrypting TLS???

rparelius's avatar
1
rparelius
asked 2019-09-17 18:44:41 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Presumably the same file decrypts more slowly on Windows that macOS.

In the "About" dialog, what library versions are shown for the macOS version and the Windows version of Wireshark?

Guy Harris's avatar Guy Harris (2019-09-17 19:54:08 +0000) edit
more
  • delete

Windows 10: Version 3.0.4 (v3.0.4-0-g71591544b8d6) MacOS: Version 3.0.3 (v3.0.3-0-g6130b92b0ec6)

rparelius's avatar rparelius (2019-09-17 20:08:51 +0000) edit
more
  • delete

I think it may have something to do with the size of the pms file. When decrypting a very small pcap that has only 2 tls sessions it takes roughly a minute when using a large pms file (156 MB), but is virtually instant with a pms file containing only the relevant decryption keys.

rparelius's avatar rparelius (2019-09-17 20:31:34 +0000) edit
more
  • delete

What library versions, rather than Wireshark versions, are shown in the "About" dialog? Perhaps the libraries being used for decryption have different versions.

Guy Harris's avatar Guy Harris (2019-09-18 00:17:14 +0000) edit
more
  • delete

I think it may have something to do with the size of the pms file. When decrypting a very small pcap that has only 2 tls sessions it takes roughly a minute when using a large pms file (156 MB), but is virtually instant with a pms file containing only the relevant decryption keys.

So, if you hand the same capture file and the same pms file to the Windows and macOS versions, does it take longer on Windows than on macOS?

Guy Harris's avatar Guy Harris (2019-09-18 00:18:57 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

There's no deliberate code to slow things down, so your results are unexpected. There is a possibility that different configurations (profiles) between macOS and Windows instances are causing the issue, so are you sure the configs are the same?

Investigating this will likely require some developer input. Please raise a bug over at the Wireshark Bugzilla. Bonus points for attaching a sample capture and keying material so no-one has to generate that themselves.

grahamb's avatar
23.8k
grahamb
answered 2019-09-17 19:57:35 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Here is a link to the bugzilla report along w/ the sample pcaps, I had to truncate the large pms file so that it could be uploaded but it should be easy to add randomized entries to bloat it to a larger size

https://bugs.wireshark.org/bugzilla/s...

rparelius's avatar rparelius (2019-09-18 14:03:19 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer