wireshark takes long time to load pcap
Hi everyone, I'm using wireshark to view pcap file and tshark to read pcap also. As can be seen, the file length is about 20 MB and captured time: 9 seconds, but wireshark takes about 27 seconds to display all packets. I tried with some captured file from other interfaces with the same size , and it took just few seconds to load. I don't know why, please help if you have any expericence on this case and guide me that how to save time to load (or to read file by tshark). Thank you very much!
I cannot attach the pcap file so I put it on google drive : https://drive.google.com/file/d/1z2Tm...
What is the display filter set to?
Is name resolution enabled?
Hi, I don't set any filter, just open the pcap file captured by tcpdump
Do the other files that loaded faster each have approximately the same number of packets as the file that took 27 seconds to load? Or do they have fewer packets, even though they're approximately 20 MB in size as well?
Hi Harris, the number of packet in the other file is greater. Here are some properties of that file compare to the slower loading file:
Time Elapsed: 6 seconds (compared to 9 seconds)
Packets: 255999 (compared to 155101)
Average pps: 37109.1 (compared to 16669.3)
Average bits/s: 67 M (compared to 15 M)
Loaded Time: 7 seconds (compared to 34 seconds)
It's likely the file that's slower to load capture has traffic that has more dissection "work" in it. This possibly includes the protocols, extra fields, decompression and decryption.
File size is no indication of the complexity of the traffic.
Maybe compare the Protocol Hierarchy in the two files to see what's different.