THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark or dumpcap affecting RDP session on Windows Server 2012R2

Has anyone encountered RDP performance issues while running tshark or dumpcap on a remote Windows 2012R2 server?

I have found lately that when I run a persistent tshark capture (or dumpcap), using out of band network ports, writing to a file ring buffer, the in-band RDP session that I use to administer the same server suffers from RDP issues to the point where, after some time passes, I need to reboot the server to regain control. All the while, the tshark session runs merrily along.

I hope I explained this well enough.

Today, for the first time, I am trying to run the tshark capture from within a bat file being called from a scheduled task so that I dont have to be logged into the server via RDP. So far, so good. Time will tell.

Thanks in advance.

John

JohnBoy's avatar
3
JohnBoy
asked 2020-09-15 19:55:07 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What does tshark --version report about the version of WinPcap or Npcap with which it's running?

Guy Harris's avatar Guy Harris (2020-09-15 21:21:53 +0000) edit
more
  • delete

Thanks for your response. Here is the output of that command:

TShark (Wireshark) 3.2.4 (v3.2.4-0-g893b5a5e1e3e)

Copyright 1998-2020 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.3, with zlib
1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.3
and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB
resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.9.9.

Running on 64-bit Windows Server 2012 R2, build 9600 ...
(more)
JohnBoy's avatar JohnBoy (2020-09-16 11:53:07 +0000) edit
more
  • delete

Npcap version 0.9991

npcap is currently at 0.9997 with fixes for memory use.

Example here of upgrade helping.

Chuckc's avatar Chuckc (2020-09-16 14:18:17 +0000) edit
more
  • delete

Also note that 3.2.6 is the current stable release.

grahamb's avatar grahamb (2020-09-16 14:34:57 +0000) edit
more
  • delete

Thanks guys... I'll give the new version a go and see how I make out.

Cheers.

JohnBoy's avatar JohnBoy (2020-09-16 14:37:42 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

As others have noted, that's likely to be an issue with Npcap, as it has to insert a driver into the networking stack to capture traffic.

You should file an issue on the Npcap issue list.

Guy Harris's avatar
19.9k
Guy Harris
answered 2020-09-21 17:30:17 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer