Ask Your Question

tshark or dumpcap affecting RDP session on Windows Server 2012R2

asked 2020-09-15 19:55:07 +0000

JohnBoy gravatar image

Has anyone encountered RDP performance issues while running tshark or dumpcap on a remote Windows 2012R2 server?

I have found lately that when I run a persistent tshark capture (or dumpcap), using out of band network ports, writing to a file ring buffer, the in-band RDP session that I use to administer the same server suffers from RDP issues to the point where, after some time passes, I need to reboot the server to regain control. All the while, the tshark session runs merrily along.

I hope I explained this well enough.

Today, for the first time, I am trying to run the tshark capture from within a bat file being called from a scheduled task so that I dont have to be logged into the server via RDP. So far, so good. Time will tell.

Thanks in advance.


edit retag flag offensive close merge delete


What does tshark --version report about the version of WinPcap or Npcap with which it's running?

Guy Harris gravatar imageGuy Harris ( 2020-09-15 21:21:53 +0000 )edit

Thanks for your response. Here is the output of that command:

TShark (Wireshark) 3.2.4 (v3.2.4-0-g893b5a5e1e3e)

Copyright 1998-2020 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <>
This is free software; see the source for copying conditions. There is NO

Compiled (64-bit) with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.3, with zlib
1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.3
and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB
resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.9.9.

Running on 64-bit Windows Server 2012 R2, build 9600 ...
JohnBoy gravatar imageJohnBoy ( 2020-09-16 11:53:07 +0000 )edit

Npcap version 0.9991

npcap is currently at 0.9997 with fixes for memory use.

Example here of upgrade helping.

Chuckc gravatar imageChuckc ( 2020-09-16 14:18:17 +0000 )edit

Also note that 3.2.6 is the current stable release.

grahamb gravatar imagegrahamb ( 2020-09-16 14:34:57 +0000 )edit

Thanks guys... I'll give the new version a go and see how I make out.


JohnBoy gravatar imageJohnBoy ( 2020-09-16 14:37:42 +0000 )edit

Note that 3.2.6 doesn't have the latest npcap, the imminent 3.2.7 will. I would firstly install npcap 0.9997 manually, then install the newer Wireshark.

grahamb gravatar imagegrahamb ( 2020-09-16 14:43:16 +0000 )edit

I have tried 3.26 and 3.30 with ncpap 0.9997 to no avail. As long as tshark or dumcap is running, RDP sessions to the server fail after some time and the server needs to be rebooted out of band. I'm stumped.

JohnBoy gravatar imageJohnBoy ( 2020-09-21 15:38:55 +0000 )edit

Are you collecting any OS statistics on the server that might indicate which resource(s) are being exhausted?

Chuckc gravatar imageChuckc ( 2020-09-21 15:45:53 +0000 )edit

I think the problem is related to processor affinity.

I have observed when dumpcap runs, CPU 0 and 1 in my 12 core system spike at almost 100%. In fact, during this time the system interrupt process is the top process (by utilization) during this time.

I am going to try forcing dumpcap to run on a CPU other than 0 or 1 and see what happens.

Stay tuned.

JohnBoy gravatar imageJohnBoy ( 2020-09-21 18:00:57 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-09-21 17:30:17 +0000

Guy Harris gravatar image

As others have noted, that's likely to be an issue with Npcap, as it has to insert a driver into the networking stack to capture traffic.

You should file an issue on the Npcap issue list.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-09-15 19:55:07 +0000

Seen: 183 times

Last updated: Sep 21 '20