Ask Your Question
0

Why is TLS Decryption is MUCH slower on Windows 10 than MacOS?

asked 2019-09-17 18:44:41 +0000

My colleague has a Macbook Pro w/ i7 3.3Ghz w/ 2 cores & 16 GB RAM, while my windows 10 pro laptop has an i7 w/ 6 cores & 32GB RAM. We were using a PMS file to decrypt some HTTPS traffic, and his laptop decrypted an 800MB pcap in around 1 minute, while mine wasn't even 1% done after 4 min. I had another colleague test w/ a similar Windows 10 laptop with identical results.

Why is wireshark on Windows 10 so slow at decrypting TLS???

edit retag flag offensive close merge delete

Comments

Presumably the same file decrypts more slowly on Windows that macOS.

In the "About" dialog, what library versions are shown for the macOS version and the Windows version of Wireshark?

Guy Harris gravatar imageGuy Harris ( 2019-09-17 19:54:08 +0000 )edit

Windows 10: Version 3.0.4 (v3.0.4-0-g71591544b8d6) MacOS: Version 3.0.3 (v3.0.3-0-g6130b92b0ec6)

rparelius gravatar imagerparelius ( 2019-09-17 20:08:51 +0000 )edit

I think it may have something to do with the size of the pms file. When decrypting a very small pcap that has only 2 tls sessions it takes roughly a minute when using a large pms file (156 MB), but is virtually instant with a pms file containing only the relevant decryption keys.

rparelius gravatar imagerparelius ( 2019-09-17 20:31:34 +0000 )edit

What library versions, rather than Wireshark versions, are shown in the "About" dialog? Perhaps the libraries being used for decryption have different versions.

Guy Harris gravatar imageGuy Harris ( 2019-09-18 00:17:14 +0000 )edit

I think it may have something to do with the size of the pms file. When decrypting a very small pcap that has only 2 tls sessions it takes roughly a minute when using a large pms file (156 MB), but is virtually instant with a pms file containing only the relevant decryption keys.

So, if you hand the same capture file and the same pms file to the Windows and macOS versions, does it take longer on Windows than on macOS?

Guy Harris gravatar imageGuy Harris ( 2019-09-18 00:18:57 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-09-17 19:57:35 +0000

grahamb gravatar image

There's no deliberate code to slow things down, so your results are unexpected. There is a possibility that different configurations (profiles) between macOS and Windows instances are causing the issue, so are you sure the configs are the same?

Investigating this will likely require some developer input. Please raise a bug over at the Wireshark Bugzilla. Bonus points for attaching a sample capture and keying material so no-one has to generate that themselves.

edit flag offensive delete link more

Comments

Here is a link to the bugzilla report along w/ the sample pcaps, I had to truncate the large pms file so that it could be uploaded but it should be easy to add randomized entries to bloat it to a larger size

https://bugs.wireshark.org/bugzilla/s...

rparelius gravatar imagerparelius ( 2019-09-18 14:03:19 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-09-17 18:44:41 +0000

Seen: 607 times

Last updated: Sep 17 '19