Network Problem Resolved Itself After Wireshark Install

asked 2020-07-01 20:49:58 +0000

JustinDS89 gravatar image

Hello all,

I have a bit of an odd scenario.

We have been having network issues with one of our applications here downloading files from a server. It affects about half the PC's.

In order to troubleshoot this problem I was going to try using Wireshark to look at the traffic. I noticed the problem went away soon as Wireshark was installed and came back soon as it was uninstalled.

I'm thinking this may be more related to Npcap that gets installed with it.

Does anyone know what it is changing during install that may be causing these issues to go away?

It would be nice to know what it is changing that is essentially "fixing" the issues without actually having to install either one.

Thanks, Justin

edit retag flag offensive close merge delete

Comments

You didn't mention what the download issues are or versions for OS and npcap.
Perhaps it's similar to this issue affected by throughput.

Chuckc gravatar imageChuckc ( 2020-07-01 21:15:29 +0000 )edit

That's for the reply Chuck.

The download issue is that the software reaches out to the server to pull files down after an update to the client. It starts the process and then hangs indefinitely.

This is 64 bit Windows 10.

The problem actually is resolved with installing Wireshark and Npcap.

I don't recall the version of Npcap. I will have to verify, but I do know it's whatever version is packaged with the latest Wireshark.

JustinDS89 gravatar imageJustinDS89 ( 2020-07-01 21:38:25 +0000 )edit

Wireshark 3.2.5 just came out today so will assume your install is 3.2.4 which included "Npcap 0.9991".
Npcap is available as a standalone download here.
It would be nice to remove Wireshark from the equation if possible.

Chuckc gravatar imageChuckc ( 2020-07-01 21:54:48 +0000 )edit

What happens if you uninstall Npcap?

If that causes the issues to come back, do they then go away if you re-install Npcap?

Guy Harris gravatar imageGuy Harris ( 2020-07-01 22:03:58 +0000 )edit

Thanks Chuck and Guy, I know the problem comes back when uninstalling Wireshark and Npcap at the same time.

Let me confirm if it is just Npcap that is affecting things and taking Wireshark out of the equation if possible.

Btw Guy I have found one person with a very similar scenario as mine from 2013 (no resolution I saw), but I believe you were the one that posted on that actually.

I really appreciate the help though as this is a bit odd and really trying to figure out what's happening.

I won't be able to confirm if it's just Npcap or not until in the morning though.

JustinDS89 gravatar imageJustinDS89 ( 2020-07-01 22:17:42 +0000 )edit

It appears that just installing Npcap doesn't seem to help.

I did check two PC's out and they are using the same drivers for the network adapter with the same configuration. Really odd.

JustinDS89 gravatar imageJustinDS89 ( 2020-07-02 17:21:58 +0000 )edit

Hello again everyone.

Wanted to post back and see if anyone else had any more thoughts or ideas?

Thanks.

JustinDS89 gravatar imageJustinDS89 ( 2020-07-29 19:58:03 +0000 )edit

Can you add the output of wireshark -v or Help->About Wireshark:Wireshark.

Not the answer but another example of Wireshark fixing an issue - “is it a good idea to install Wireshark on all my clients to fix the problem for them, too?”

Chuckc gravatar imageChuckc ( 2020-07-29 20:37:53 +0000 )edit

Thanks Chuck for the response and that link.

3.2.4 (v3.2.4-0-g893b5a5e1e3e)

Compiled (64-bit) with Qt 5.12.8, with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.9, with QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled resampler), with SBC, with SpanDSP, with bcg729.

Running on 64-bit Windows 10 (1909), build 18363, with Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz (with SSE4.2), with 16180 MB of physical memory, with locale English_United States.1252, with light display mode ...(more)

JustinDS89 gravatar imageJustinDS89 ( 2020-07-29 20:59:51 +0000 )edit

"It appears that just installing Npcap doesn't seem to help."
When installing just npcap, what version was it?

Wireshark install shows - with Npcap version 0.9991

Chuckc gravatar imageChuckc ( 2020-07-29 21:11:07 +0000 )edit

I actually installed version 0.9994 of Npcap.

JustinDS89 gravatar imageJustinDS89 ( 2020-07-30 12:39:28 +0000 )edit

Previous versions of npcap available here.
Extra work but would then be apples to apples comparison.

Chuckc gravatar imageChuckc ( 2020-07-30 15:28:57 +0000 )edit

I can test and see with the exact same version.

I will add that I tested with another program (NetworkMiner) and that did not make a difference in the issue like Wireshark does. I did verify using Powershell that both Wireshark and NetworkMiner does put the NIC into promiscuous mode though while they are open. It would seem that there may be more to it than just having the NIC in promiscuous mode.

JustinDS89 gravatar imageJustinDS89 ( 2020-07-30 16:28:42 +0000 )edit

So it requires Wireshark to be running, not just installed?

Chuckc gravatar imageChuckc ( 2020-07-30 17:07:34 +0000 )edit

Well yes and no. Let me clarify.

It appears after a Wireshark install it doesn't make any difference at all until you at least open the application once. After that I have been able to close Wireshark and it still work as it's suppose to. I know that may sound a bit odd

JustinDS89 gravatar imageJustinDS89 ( 2020-07-30 17:51:37 +0000 )edit
add a comment