Ask Your Question
0

WS is non-responsive when capturing many packets

asked 2021-03-02 23:18:54 +0000

helarsen gravatar image

updated 2021-03-03 09:00:05 +0000

When starting a capture (no filter) with a lot of traffic - after few tens of seconds WS becomes non-responsive - even stopping the capture takes long time. Is this normal and to expect?

I assume it is due to the large volume of data and fair enough. But never the less it is a bit annoying. Are there tricks to tame it before it grinds to a halt except stopping manually after few 10 seconds?

Thanks for hints.

Version inf:

3.4.3 (v3.4.3-0-g6ae6cd335aa9)

Compiled (64-bit) with Qt 5.15.1, with libpcap, with GLib 2.52.3, with zlib
1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.3
and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB
resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.9.9, with QtMultimedia, with automatic updates using
WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled resampler), with
Minizip.

Running on 64-bit Windows 10 (1803), build 17134, with Intel(R) Core(TM)
i7-8750H CPU @ 2.20GHz (with SSE4.2), with 32573 MB of physical memory, with
locale Danish_Denmark.utf8, with light display mode, without HiDPI, with Npcap
version 1.10, based on libpcap version 1.9.1, with GnuTLS 3.6.3, with Gcrypt
1.8.3, with brotli 1.0.2, without AirPcap, binary plugins supported (21 loaded).

Built using Microsoft Visual Studio 2019 (VC++ 14.28, build 29336).
edit retag flag offensive close merge delete

Comments

What is your line rate? If you're not interested in layer 4 and above set an appropriate snaplen.

grahamb gravatar imagegrahamb ( 2021-03-03 08:49:29 +0000 )edit

Thank you for your hints. I am very new to this so if nothing else but for myself I added screen dumps of the relevant settings corresponding to your suggestions. ...... just to find out that I need >60 points to upload a file - so I will have to keep this to myself.

helarsen gravatar imagehelarsen ( 2021-03-03 20:46:50 +0000 )edit

@grahamb. its 1Gb/s tcp. Trying to figure out what causes: [Reassembly error, protocol TCP: New fragment overlaps old data (retransmission?)]

helarsen gravatar imagehelarsen ( 2021-03-03 20:51:16 +0000 )edit

@helarsen, you can provide a link to an image posted elsewhere.

The error you noted happens when a tcp segment is retransmitted, but contains more data than originally sent. There has been some work done on TCP reassembly in the dev version (3.5.x), maybe you could try the latest automated build, see here.

grahamb gravatar imagegrahamb ( 2021-03-04 11:27:03 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2021-03-03 07:30:22 +0000

Anders gravatar image

Depends on your use case

  1. Dissable update in real time
  2. Set a stop time or a stop size
  3. Use dumpcap to capture
  4. Use dumpcap saving to mutiple files But yes capturing on a busy interface may be challeging.
edit flag offensive delete link more
0

answered 2021-03-03 08:25:13 +0000

hugo.vanderkooij gravatar image
  1. Make sure not to do DNS resolving of IP adresses in Wireshark.
edit flag offensive delete link more

Comments

Sorry I can only mark one as answer. so had to pick one.

helarsen gravatar imagehelarsen ( 2021-03-03 20:48:27 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-03-02 23:18:54 +0000

Seen: 496 times

Last updated: Mar 03 '21