Very slow file file copy is fixed when running Wireshark

retag add tags

We have a Windows 10 Enterprise VM. It is used to Build and Deploy one of our applications. Part of the process is copying files from Server A (a Windows 2019 server VM) to Server B (aother Windows 2019 server VM).

When this process fires, it takes between 45 minutes to well over an hour to complete. Way too slow. This is impacting our software deployments.

I fired up Wireshark to try to figure out the issue. As soon as Wireshark began capturing the traffic, the copying files immediately sped up. Repeating the file copy (with Wireshark running), takes <1 minute. Very interesting.

We stopped Wireshark, and it was slow again (but some times, it remained fast. No idea why). After rebooting the VM though, the file copy was very slow again.

We are only copying 386 files, about 66 MB in size. So, it's not a crazy amount of data.

We have tested the file copy from Server A to Server B and Vice Versa, bypassing the Windows 10 VM all together. We have copied files from other workstations (such as mine) to Server A with zero issues, and same to Server B.

My questions:

What does Wireshark do on startup that "fixes" our file copy issue? From our experience Wireshark does "something" we want to know what that is.
What configurations does it touch/modify/change?
Which services does it start? If any?
Which processes does it use?
Does it change any OS settings?

I am not sure if I am asking the right questions. But for some reason, having Wireshark capturing traffic fixes all the file copy issues.

Thanks,

Paul

Paul Wright

asked 2023-05-31 20:12:58 +0000

13.7k

Jaap

updated 2023-06-01 09:16:00 +0000

edit flag offensive 0 remove flag close merge delete

Comments

When you're running Wireshark, is it capturing in promiscuous mode or not? (I'm assuming this is not a copy over Wi-Fi.) If so, does changing the promiscuous mode (leaving it off if it was on, turning it on if it was off) make a difference?

Guy Harris (2023-06-01 05:09:47 +0000) edit

Guy, thanks for responding. This is Wireshark Portable, freshly installed, no changes other than to auto resolve IP's to their names. I don't even know where to look for promiscuous mode.

No, this is not over WIFI, as far as I know, the Win 10 VM and the 2 Win 2019 VM's are in the same data center. Ping times are usually < 1ms and number of TraceRt hops are 1.

Paul Wright (2023-06-01 14:06:02 +0000) edit

This is Wireshark Portable

That doesn't make a difference when it comes to promiscuous mode.

I don't even know where to look for promiscuous mode.

Select "Options" from the "Capture" menu. In that dialog box, there's a "Enable promiscuous mode on all devices" check box. If it's checked, un-check it; if it's not checked, check it. Then select the interface(s) on which you want to capture, and click "Start".

Guy Harris (2023-06-01 19:18:31 +0000) edit

Guy, thanks. I hadn't had a chance to get back to this... I did find the Promiscuous mode and it made no difference whether or not it was checked or not. It was Checked by default. I is now currently checked (after I tested Unchecked)

Paul Wright (2023-06-01 19:36:28 +0000) edit

add a comment see more comments

2 Answers

Sort by

oldest

newest

most voted

Just an idea!

Try this powershell command before running Wireshark, save the result. Repeat after running Wireshark. Diff compare both txt files

Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName . | Select-Object -Property [a-z]* -ExcludeProperty IPX,WINS

menticol

answered 2023-06-01 01:59:15 +0000

edit flag offensive 0 remove flag delete link

Comments

Larottao, Thank you for the suggestion. Before and After text files are exactly the same. No differences.

Paul Wright (2023-06-01 17:44:31 +0000) edit

add a comment see more comments

What configurations does it touch/modify/change?

It may put the interface in promiscuous mode, which has, on occasion, been known to change some network behavior in ways that clear up networking problems; however, as you tried both with and without promiscuous mode, with no change, that's probably not what's happening here.

Npcap, which provides the capture mechanisms that Wireshark (and other programs) use, adds a "filter driver" to the networking stack. As far as I know, that driver is always in the stack, but when a capture is in progress, that might change the behavior of the networking stack. You'd have to ask the Npcap developers about that.

Which services does it start? If any?

It doesn't directly start any services; if installed with Npcap, there's a service that's part of Npcap that I think is started when the machine is booted.

Which processes does it use?

The Wireshark UI process and a subprocess, running the "dumpcap" utility that's part of Wireshark, which does the packet capturing and writes the packets to a file.

Does it change any OS settings?

Nothing other than the stuff Npcap does.

19.9k

Guy Harris

answered 2023-06-01 20:46:20 +0000, updated 2023-06-01 20:47:27 +0000

edit flag offensive 0 remove flag delete link

Comments

Guy, apologies for not replying sooner. I was pulled away by other issues that needed more urgent attention.

Hmmm, I wonder what Wireshark does when I begin capturing. Because it immediately "fixes" the file copy issue we are experiencing.

I will keep tinkering/exploring this issue. If you have any other insights, I will definitely pay attention.

Thanks!

Paul Wright (2023-06-22 15:16:11 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

Very slow file file copy is fixed when running Wireshark edit

Comments

2 Answers

Comments

Comments