First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

WS is non-responsive when capturing many packets

When starting a capture (no filter) with a lot of traffic - after few tens of seconds WS becomes non-responsive - even stopping the capture takes long time. Is this normal and to expect?

I assume it is due to the large volume of data and fair enough. But never the less it is a bit annoying. Are there tricks to tame it before it grinds to a halt except stopping manually after few 10 seconds?

Thanks for hints.

Version inf:

3.4.3 (v3.4.3-0-g6ae6cd335aa9)

Compiled (64-bit) with Qt 5.15.1, with libpcap, with GLib 2.52.3, with zlib
1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.3
and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB
resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.9.9, with QtMultimedia, with automatic updates using
WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled resampler), with
Minizip.

Running on 64-bit Windows 10 (1803), build 17134, with Intel(R) Core(TM)
i7-8750H CPU @ 2.20GHz (with SSE4.2), with 32573 MB of physical memory, with
locale Danish_Denmark.utf8, with light display mode, without HiDPI, with Npcap
version 1.10, based on libpcap version 1.9.1, with GnuTLS 3.6.3, with Gcrypt
1.8.3, with brotli 1.0.2, without AirPcap, binary plugins supported (21 loaded).

Built using Microsoft Visual Studio 2019 (VC++ 14.28, build 29336).
helarsen's avatar
3
helarsen
asked 2021-03-02 23:18:54 +0000, updated 2021-03-03 09:00:05 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What is your line rate? If you're not interested in layer 4 and above set an appropriate snaplen.

grahamb's avatar grahamb (2021-03-03 08:49:29 +0000) edit
more
  • delete

Thank you for your hints. I am very new to this so if nothing else but for myself I added screen dumps of the relevant settings corresponding to your suggestions. ...... just to find out that I need >60 points to upload a file - so I will have to keep this to myself.

helarsen's avatar helarsen (2021-03-03 20:46:50 +0000) edit
more
  • delete

@grahamb. its 1Gb/s tcp. Trying to figure out what causes: [Reassembly error, protocol TCP: New fragment overlaps old data (retransmission?)]

helarsen's avatar helarsen (2021-03-03 20:51:16 +0000) edit
more
  • delete

@helarsen, you can provide a link to an image posted elsewhere.

The error you noted happens when a tcp segment is retransmitted, but contains more data than originally sent. There has been some work done on TCP reassembly in the dev version (3.5.x), maybe you could try the latest automated build, see here.

grahamb's avatar grahamb (2021-03-04 11:27:03 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

Depends on your use case

  1. Dissable update in real time
  2. Set a stop time or a stop size
  3. Use dumpcap to capture
  4. Use dumpcap saving to mutiple files But yes capturing on a busy interface may be challeging.
Anders's avatar
5k
Anders
answered 2021-03-03 07:30:22 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0
  1. Make sure not to do DNS resolving of IP adresses in Wireshark.
hugo.vanderkooij's avatar
76
hugo.vanderkooij
answered 2021-03-03 08:25:13 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Sorry I can only mark one as answer. so had to pick one.

helarsen's avatar helarsen (2021-03-03 20:48:27 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer