Wireshark Freezes During WAN Speed Tests

asked 2020-05-24 02:02:27 +0000

firewire10000
1 ●1 ●1 ●1

I have setup port mirroring on my 24-port Netgear switch so that I can see the traffic between the ingress WAN and egress WAN that goes towards my OpenWrt router. The mirroring switch mirroring port is connected to a spare NIC in my PC where I can see all of the traffic for the selected network interface.

When Wireshark is open and I carryout a WAN speed test with Ookla SPEEDTEST on any device on the network for example, the Wireshark software freezes up no matter how much I narrow down the packets displayed using the display filters. My question is, is this normal or am I just trying to view too many packets at once and my computer can't keep up in real-time?

Whilst Wireshark is being unresponsive, the device performing the speed test suffers to reach full speeds. I hear of people using tcpdump across many IT forums but never looked at it. I take it it creates a full dump of the network for a specified capturing timeframe, and then you import the data into Wireshark to filter the data as though it's realtime traffic?

Is this the approach I shouldn't be taking to eliminate Wireshark crashes and severe network saturation? Also from the title of tcpdump, does it capture more than the TCP protocol despite the name?

Many thanks

Will

edit retag flag offensive close merge delete

Comments

I noticed the following:

Wireshark software freezes up no matter how much I narrow down the packets displayed using the display filters

You might want to try capture filters instead; they drop traffic before it gets to the GUI app possibly reducing the load. It may not matter, depending on how much traffic / of what type is entering the capturing system.

Wireshark is being unresponsive, the device performing the speed test suffers to reach full speeds

You imply a causal relationship here; that running Wireshark somehow affects other systems on the network. In general I doubt this is true - if the speed test is on the SAME system as where you are capturing, then possible/likely but for just other systems, as you describe your setup, not likely. Are you sure this relationship really exists? If so, you might want to investigate because this should not be the case. It ...(more)

Bob Jones ( 2020-05-24 13:13:39 +0000 )edit

When Wireshark is open and I carryout a WAN speed test with Ookla SPEEDTEST on any device on the network for example, the Wireshark software freezes up

...

Is this the approach I shouldn't be taking to eliminate Wireshark crashes

Freezes, or crashes? "Crashes" means "stops running because it gets a fatal error", which is different from "freezing", which means that it doesn't update its windows and doesn't respond to user input, but continues to run, even if it's in an infinite loop or something such as that.

While this is happening, is Wireshark consuming any CPU? And on what operating system is this?

Guy Harris ( 2020-05-25 06:32:11 +0000 )edit

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2020-05-24 08:49:17 +0000

Guy Harris
19890 ●3 ●659 ●207

updated 2020-05-24 08:52:40 +0000

Also from the title of tcpdump, does it capture more than the TCP protocol despite the name?

Yes. The name is historical; it originally dissected only a few protocols, and was primarily intended for observing TCP's behavior, but, as I was reminded when I booted an old Ubuntu 7.x VM I had lying around, on which I'd unpacked an Ethereal 0.2.0 source tree (yes, the very first Wireshark release, as I remember, from before it was renamed to Wireshark), that only handled IP, UDP, and TCP (and probably Ethernet). tcpdump acquired a bunch of additional dissectors over time, just as Ethereal/Wireshark did - and it was always capable of capturing all traffic, it just doesn't dissect every protocol (also true of Wireshark - it can capture all traffic, even traffic it can't dissect).

tcpdump uses the same capture library that Wireshark uses to capture traffic (libpcap and the WinPcap and Npcap Windows ports of libpcap), and also uses libpcap to read and write capture files. libpcap's original file format was "pcap" format, which was also Wireshark's original file format; Wireshark's primary file format is pcapng, which libpcap can read (with some limitations) but currently can't write (except on macOS). Wireshark can read both pcap and pcapng files, so it can read capture files written by tcpdump.

NOTE: if you're going to capture with tcpdump, use the -w flag, so it writes out a pcap file, not a printout of the dissection of packets.

edit flag offensive delete link

add a comment

answered 2020-05-24 05:26:43 +0000

Chuckc
3023 ●6 ●608 ●20

updated 2020-05-24 05:29:47 +0000

image description

A process tree for Wireshark when capturing on Windows show that it uses dumpcap under the covers.
Man page here and an example in the User's Guide.
Use dumpcap to perform the capture to a file then open in the Wireshark gui for analysis.

A couple videos on the topic:
https://www.networkcomputing.com/netw...
At What Point Do Laptops Start Dropping Packets?
And a Sharkfest presentation

edit flag offensive delete link

add a comment