Ask Your Question

tshark or dumpcap affecting RDP session on Windows Server 2012R2

asked 2020-09-15 19:55:07 +0000

JohnBoy gravatar image

Has anyone encountered RDP performance issues while running tshark or dumpcap on a remote Windows 2012R2 server?

I have found lately that when I run a persistent tshark capture (or dumpcap), using out of band network ports, writing to a file ring buffer, the in-band RDP session that I use to administer the same server suffers from RDP issues to the point where, after some time passes, I need to reboot the server to regain control. All the while, the tshark session runs merrily along.

I hope I explained this well enough.

Today, for the first time, I am trying to run the tshark capture from within a bat file being called from a scheduled task so that I dont have to be logged into the server via RDP. So far, so good. Time will tell.

Thanks in advance.


edit retag flag offensive close merge delete


What does tshark --version report about the version of WinPcap or Npcap with which it's running?

Guy Harris gravatar imageGuy Harris ( 2020-09-15 21:21:53 +0000 )edit

Thanks for your response. Here is the output of that command:

TShark (Wireshark) 3.2.4 (v3.2.4-0-g893b5a5e1e3e)

Copyright 1998-2020 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <>
This is free software; see the source for copying conditions. There is NO

Compiled (64-bit) with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.3, with zlib
1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.3
and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB
resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.9.9.

Running on 64-bit Windows Server 2012 R2, build 9600 ...
JohnBoy gravatar imageJohnBoy ( 2020-09-16 11:53:07 +0000 )edit

Npcap version 0.9991

npcap is currently at 0.9997 with fixes for memory use.

Example here of upgrade helping.

Chuckc gravatar imageChuckc ( 2020-09-16 14:18:17 +0000 )edit

Also note that 3.2.6 is the current stable release.

grahamb gravatar imagegrahamb ( 2020-09-16 14:34:57 +0000 )edit

Thanks guys... I'll give the new version a go and see how I make out.


JohnBoy gravatar imageJohnBoy ( 2020-09-16 14:37:42 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-09-21 17:30:17 +0000

Guy Harris gravatar image

As others have noted, that's likely to be an issue with Npcap, as it has to insert a driver into the networking stack to capture traffic.

You should file an issue on the Npcap issue list.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-09-15 19:55:07 +0000

Seen: 279 times

Last updated: Sep 21 '20