Ask Your Question

Very slow file file copy is fixed when running Wireshark

asked 2023-05-31 20:12:58 +0000

updated 2023-06-01 09:16:00 +0000

Jaap gravatar image

We have a Windows 10 Enterprise VM. It is used to Build and Deploy one of our applications. Part of the process is copying files from Server A (a Windows 2019 server VM) to Server B (aother Windows 2019 server VM).

When this process fires, it takes between 45 minutes to well over an hour to complete. Way too slow. This is impacting our software deployments.

I fired up Wireshark to try to figure out the issue. As soon as Wireshark began capturing the traffic, the copying files immediately sped up. Repeating the file copy (with Wireshark running), takes <1 minute. Very interesting.

We stopped Wireshark, and it was slow again (but some times, it remained fast. No idea why). After rebooting the VM though, the file copy was very slow again.

We are only copying 386 files, about 66 MB in size. So, it's not a crazy amount of data.

We have tested the file copy from Server A to Server B and Vice Versa, bypassing the Windows 10 VM all together. We have copied files from other workstations (such as mine) to Server A with zero issues, and same to Server B.

My questions:

  1. What does Wireshark do on startup that "fixes" our file copy issue? From our experience Wireshark does "something" we want to know what that is.
  2. What configurations does it touch/modify/change?
  3. Which services does it start? If any?
  4. Which processes does it use?
  5. Does it change any OS settings?

I am not sure if I am asking the right questions. But for some reason, having Wireshark capturing traffic fixes all the file copy issues.



edit retag flag offensive close merge delete


When you're running Wireshark, is it capturing in promiscuous mode or not? (I'm assuming this is not a copy over Wi-Fi.) If so, does changing the promiscuous mode (leaving it off if it was on, turning it on if it was off) make a difference?

Guy Harris gravatar imageGuy Harris ( 2023-06-01 05:09:47 +0000 )edit

Guy, thanks for responding. This is Wireshark Portable, freshly installed, no changes other than to auto resolve IP's to their names. I don't even know where to look for promiscuous mode.

No, this is not over WIFI, as far as I know, the Win 10 VM and the 2 Win 2019 VM's are in the same data center. Ping times are usually < 1ms and number of TraceRt hops are 1.

Paul Wright gravatar imagePaul Wright ( 2023-06-01 14:06:02 +0000 )edit

This is Wireshark Portable

That doesn't make a difference when it comes to promiscuous mode.

I don't even know where to look for promiscuous mode.

Select "Options" from the "Capture" menu. In that dialog box, there's a "Enable promiscuous mode on all devices" check box. If it's checked, un-check it; if it's not checked, check it. Then select the interface(s) on which you want to capture, and click "Start".

Guy Harris gravatar imageGuy Harris ( 2023-06-01 19:18:31 +0000 )edit

Guy, thanks. I hadn't had a chance to get back to this... I did find the Promiscuous mode and it made no difference whether or not it was checked or not. It was Checked by default. I is now currently checked (after I tested Unchecked)

Paul Wright gravatar imagePaul Wright ( 2023-06-01 19:36:28 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2023-06-01 20:46:20 +0000

Guy Harris gravatar image

updated 2023-06-01 20:47:27 +0000

What configurations does it touch/modify/change?

It may put the interface in promiscuous mode, which has, on occasion, been known to change some network behavior in ways that clear up networking problems; however, as you tried both with and without promiscuous mode, with no change, that's probably not what's happening here.

Npcap, which provides the capture mechanisms that Wireshark (and other programs) use, adds a "filter driver" to the networking stack. As far as I know, that driver is always in the stack, but when a capture is in progress, that might change the behavior of the networking stack. You'd have to ask the Npcap developers about that.

Which services does it start? If any?

It doesn't directly start any services; if installed with Npcap, there's a service that's part of Npcap that I think is started when the machine is booted.

Which processes does it use?

The Wireshark UI process and a subprocess, running the "dumpcap" utility that's part of Wireshark, which does the packet capturing and writes the packets to a file.

Does it change any OS settings?

Nothing other than the stuff Npcap does.

edit flag offensive delete link more


Guy, apologies for not replying sooner. I was pulled away by other issues that needed more urgent attention.

Hmmm, I wonder what Wireshark does when I begin capturing. Because it immediately "fixes" the file copy issue we are experiencing.

I will keep tinkering/exploring this issue. If you have any other insights, I will definitely pay attention.


Paul Wright gravatar imagePaul Wright ( 2023-06-22 15:16:11 +0000 )edit

answered 2023-06-01 01:59:15 +0000

menticol gravatar image

Just an idea!

Try this powershell command before running Wireshark, save the result. Repeat after running Wireshark. Diff compare both txt files

Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName . | Select-Object -Property [a-z]* -ExcludeProperty IPX,WINS

edit flag offensive delete link more


Larottao, Thank you for the suggestion. Before and After text files are exactly the same. No differences.

Paul Wright gravatar imagePaul Wright ( 2023-06-01 17:44:31 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2023-05-31 20:12:58 +0000

Seen: 373 times

Last updated: Jun 01 '23