Running Windows 10, 21H2, Wireshark 3.6.1, Npcap 1.60, NO USBpcap.
When I start a capture, everything looks good for a few seconds. I see packets being displayed. After a few seconds, the display freezes. Then, approximately 60 seconds after I started the capture, the display frees up and seems to catch up. Anyone else seeing this behavior?
Thanks for the suggestions. It was not a DNS issue, but it got me started digging into the settings. I turned off all the MAC and name resolution options and was still having the issue. Finally, I created a new profile and the issue went away. By exporting my old and new profiles and comparing them, I found the problem. A while back I was experimenting with decrypting some HTTPS traffic and has set the Windows environment variable for SSLKEYLOGFILE and added a Wireshark option to the TLS protocol for (Pre)-Master-Secret log file. My SSL log file had grown to over 800MB. So when I would start a capture, as soon as it caught a TLS packet, the GUI would freeze while the log file was accessed. I was wondering why there was a variable length of time before it froze, but after this discovery, I found it was always freezing on the first TLS packet.
There is an open issue for this:
17051 - Wireshark GUI hangs when decrypting TLS with large SSLKEYLOGFILE
This could possibly be a DNS resolution attempt slowing down the the machine.
Please retry by unchecking the 'Use an external network name resolver' under the Name resolution preferences
.
Regards Matthias
Comments
Some type of name resolution timeout perhaps?
I noticed a similar behaviour running under windows 7 and NCAP 1.6. I tried reinstalling a few times and winding back to previous restore points to no avail. Reverting to Wireshare 3.4.11 was the only option for me.