Ask Your Question
0

loading pcap from SMB share takes very long

asked 2026-03-25 10:27:26 +0000

SharkFan gravatar image

Hello community Hope anybody can help me or has a hint. I have a linux server creating pcap traces with tshark. Every file has a max size of 100MB and they contain only SIP (no RTP just SIP) traffic. I can access these files from my Win11 workstation through a network SMB share.

Wireshark is closed. I start wireshark with one of these pcap files. Now Wireshark is starting and tells me about initialization. This takes around 150 seconds. During this time I see SMB traffic at a rate of 1MBit/s. On my Linux workstation, this can take even up to 4 minutes. After this waitingtime, wireshark shows me the loadingbar in the lower left corner and during that time, the traffic goes up to 200MBit/s.

Finaly I can use wireshark as usual. But why does it take so long? Any idea. tcpdump during this initializing gives me small packages below 256bytes. So it looks like kind of control traffic.

Thank you for any help.

edit retag flag offensive close merge delete

Comments

What is the round-trip time between the system running Wireshark and the SMB server?

SYN-bit gravatar imageSYN-bit ( 2026-03-25 13:10:25 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2026-03-25 12:46:08 +0000

SharkFan gravatar image

Ok, it is not the file itself, it has more to do with SMB and the way wireshark handling it. I can first make a local copy and start it then in a few seconds. Not sure what I could do. Seems like wireshark has no feature for working with a local cachefile. For now, copy the file and start it then is the fastest way.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2026-03-25 10:27:26 +0000

Seen: 16 times

Last updated: 2 hours ago