First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Wireshark not responding while capturing packets

  • retag add tags

Hi, for a long time I used Wireshark without problems but from a while it became very frustrating using it.

When I start a capture I don't see any problems and packets being captured are shown without problems, I can see TCP, NBNS, DNS and other traffic but when I, for example, open a browser and search for a website Wireshark begins to slow down till crashing with Windows saying that the program is not responding.

Obviously I analyzed ram usage and I saw very high values (I have a 4GB machine underneath).

I use npcap as a capture driver and obviously I tried to uninstall and reinstall Wireshark without solving anything.

Is there a solution for this problem? Do I need a ram upgrade in order to use it?

BrainStem's avatar
1
BrainStem
asked 2018-06-02 17:26:12 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Wireshark version?

grahamb's avatar grahamb (2018-06-02 20:54:19 +0000) edit
more
  • delete

The last stable, 2.6.1 but even with earlier versions

BrainStem's avatar BrainStem (2018-06-03 11:00:13 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

It's probably a resource bottleneck problem - I usually see this if the flood of incoming packets is high, e.g. more than a few 100 MBit/s. Unless I need/want to see packets in real time I do not use Wireshark for the capture anymore, but run dumpcap directly instead (which is the tool Wireshark calls for the capture as well). Seeing packets in real time is only useful if it's slow traffic, of course, which usually doesn't give you the trouble you experience. Note that with longer run time Wireshark accumulates meta information (e.g. TCP flow correlations, expert messages etc.) which will make you run out of memory eventually. dumpcap doesn't, and can run "forever".

See this blog post for more information:

https://blog.packet-foo.com/2013/05/t...

Jasper's avatar
24.1k
Jasper
answered 2018-06-03 16:15:17 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer