Ask Your Question
0

tshark or dumpcap affecting RDP session on Windows Server 2012R2

asked 2020-09-15 19:55:07 +0000

JohnBoy gravatar image

Has anyone encountered RDP performance issues while running tshark or dumpcap on a remote Windows 2012R2 server?

I have found lately that when I run a persistent tshark capture (or dumpcap), using out of band network ports, writing to a file ring buffer, the in-band RDP session that I use to administer the same server suffers from RDP issues to the point where, after some time passes, I need to reboot the server to regain control. All the while, the tshark session runs merrily along.

I hope I explained this well enough.

Today, for the first time, I am trying to run the tshark capture from within a bat file being called from a scheduled task so that I dont have to be logged into the server via RDP. So far, so good. Time will tell.

Thanks in advance.

John

edit retag flag offensive close merge delete

Comments

What does tshark --version report about the version of WinPcap or Npcap with which it's running?

Guy Harris gravatar imageGuy Harris ( 2020-09-15 21:21:53 +0000 )edit

Thanks for your response. Here is the output of that command:

TShark (Wireshark) 3.2.4 (v3.2.4-0-g893b5a5e1e3e)

Copyright 1998-2020 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.3, with zlib
1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.3
and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB
resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.9.9.

Running on 64-bit Windows Server 2012 R2, build 9600 ...
(more)
JohnBoy gravatar imageJohnBoy ( 2020-09-16 11:53:07 +0000 )edit

Npcap version 0.9991

npcap is currently at 0.9997 with fixes for memory use.

Example here of upgrade helping.

Chuckc gravatar imageChuckc ( 2020-09-16 14:18:17 +0000 )edit

Also note that 3.2.6 is the current stable release.

grahamb gravatar imagegrahamb ( 2020-09-16 14:34:57 +0000 )edit

Thanks guys... I'll give the new version a go and see how I make out.

Cheers.

JohnBoy gravatar imageJohnBoy ( 2020-09-16 14:37:42 +0000 )edit
see more comments

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-09-21 17:30:17 +0000

Guy Harris gravatar image

As others have noted, that's likely to be an issue with Npcap, as it has to insert a driver into the networking stack to capture traffic.

You should file an issue on the Npcap issue list.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-09-15 19:55:07 +0000

Seen: 360 times

Last updated: Sep 21 '20

Related questions

What is the position of WinPcap within a Windows server 2016 network stack?

Wireshark 2.4.1 GTK Crash on long run

wifi disconnects as wireshark starts

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

what determines the final windows scaling factor?

Monitoring UDP data on wireshark shows ARP packet

Using tshark filters to extract only interesting traffic from 12GB trace

Failed to run MSBuild command (CMake Error at CMakeLists.txt:22 (project))

No CMAKE_C(XX)_COMPILER could be found