WS is non-responsive when capturing many packets

asked 2021-03-02 23:18:54 +0000

helarsen

updated 2021-03-03 09:00:05 +0000

When starting a capture (no filter) with a lot of traffic - after few tens of seconds WS becomes non-responsive - even stopping the capture takes long time. Is this normal and to expect?

I assume it is due to the large volume of data and fair enough. But never the less it is a bit annoying. Are there tricks to tame it before it grinds to a halt except stopping manually after few 10 seconds?

Thanks for hints.

Version inf:

3.4.3 (v3.4.3-0-g6ae6cd335aa9)

Compiled (64-bit) with Qt 5.15.1, with libpcap, with GLib 2.52.3, with zlib
1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.3
and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB
resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.9.9, with QtMultimedia, with automatic updates using
WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled resampler), with

Running on 64-bit Windows 10 (1803), build 17134, with Intel(R) Core(TM)
i7-8750H CPU @ 2.20GHz (with SSE4.2), with 32573 MB of physical memory, with
locale Danish_Denmark.utf8, with light display mode, without HiDPI, with Npcap
version 1.10, based on libpcap version 1.9.1, with GnuTLS 3.6.3, with Gcrypt
1.8.3, with brotli 1.0.2, without AirPcap, binary plugins supported (21 loaded).

Built using Microsoft Visual Studio 2019 (VC++ 14.28, build 29336).
What is your line rate? If you're not interested in layer 4 and above set an appropriate snaplen.

grahamb ( 2021-03-03 08:49:29 +0000 )

Thank you for your hints. I am very new to this so if nothing else but for myself I added screen dumps of the relevant settings corresponding to your suggestions. ...... just to find out that I need >60 points to upload a file - so I will have to keep this to myself.

helarsen ( 2021-03-03 20:46:50 +0000 )

@grahamb. its 1Gb/s tcp. Trying to figure out what causes: [Reassembly error, protocol TCP: New fragment overlaps old data (retransmission?)]

helarsen ( 2021-03-03 20:51:16 +0000 )

@helarsen, you can provide a link to an image posted elsewhere.

The error you noted happens when a tcp segment is retransmitted, but contains more data than originally sent. There has been some work done on TCP reassembly in the dev version (3.5.x), maybe you could try the latest automated build, see here.

grahamb ( 2021-03-04 11:27:03 +0000 )

answered 2021-03-03 07:30:22 +0000

Anders

Depends on your use case

  1. Dissable update in real time
  2. Set a stop time or a stop size
  3. Use dumpcap to capture
  4. Use dumpcap saving to mutiple files But yes capturing on a busy interface may be challeging.
answered 2021-03-03 08:25:13 +0000

hugo.vanderkooij
  1. Make sure not to do DNS resolving of IP adresses in Wireshark.
Sorry I can only mark one as answer. so had to pick one.

helarsen ( 2021-03-03 20:48:27 +0000 )

