This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
0
1

Dear WireShark Team, I have a very interesting behavior on some VM's installed with plain Windows 2012 R2 Server using PVSCSI and VMXNET3 drivers on vSphere 6.

Using a database client application it takes a x amount of time to load the data from the db to the VM. For troubleshooting reasons I installed WireShark as the loading performance was not sufficient.

Now the cool thing is that starting WireShark and closing it again and then using the database client application suddenly everything is very fast! This performance improvement stays there until the VM is restarted. Opening and closing WireShark again is then bringing the VM network speed back to it's high performance.

It seems that during the start of WireShark something is changed/reinitialized on the Windows networking parameters. Since I'm not very fund of reading source code I was wondering if any of you guys can tell me what is done on the Windows network side while starting WireShark or if you might have any hints regarding this.

Regards LC

asked 12 Feb '16, 02:13

Linuxcrash's gravatar image

Linuxcrash
6123
accept rate: 0%

we have exactly the same problem! and we thought we're getting nuts here. you have some news on this?

(13 Feb '16, 06:50) p199y

i wanted to post this question, since i saw someone already has the same problem i post this here, maybe some usefull information:

We have a performance issue with our intranet website. we checked network settings on our Cisco switches, web server configuration, SQL server configuration, OS settings, logs and so on but we could not grip where the problem is coming from. so we tried if we can find something by capturing some LAN traffic with Wireshark, then something unexpected happened: when we start Wireshark on the web server (Win 2012 R2), the performance issue instantly disappears. We can close Wireshark, restart the IIS Webservice, disable / enable the network connection, the performance issues does not appear anymore until we restart the OS of the Webserver. now we found out, that when we only start dumpcap in a cmd window the same effect happens: no performance issues.

you can imagine this leaves us kind of buffeled since we cant understand how starting wireshark to debug a problem actually solves it. is there anyone who can explain what exactly happens on OS level when dumpcap starts?

BTW: also starting windump.exe has the same effect.

also to mention: the NPF service / winpcap Driver starts automatically with the OS.

We run our webserver on a ESXi 6.0 Update 1 (newest Patch releases) Windows Server 2012 R2 Guest OS, VMXNET3 Drivers.

(13 Feb '16, 07:00) p199y

Good news, we found a solution that worked for us:

try this: disable LRO aka RSC on your VM:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2129176

good luck

permanent link

answered 13 Feb '16, 12:21

p199y's gravatar image

p199y
6113
accept rate: 100%

Hi All, After digging around with the VMXNET3 options I can now confirm the answer post.

There are two settings called Recv Segment Coalescing (IPv4) and Recv Segment Coalescing (IPv6) in the advanced network card settings that are enabled and for some reason have a very negative impact on MSSQL TCP traffic. As soon as these two settings were disabled the loading times on all VM’s have dropped from 25s to 3s and it seems to stay there constantly.

Thanks for the help everyone!

(15 Feb '16, 01:28) Linuxcrash
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×26
×6
×1

question asked: 12 Feb '16, 02:13

question was seen: 5,902 times

last updated: 15 Feb '16, 01:42

p​o​w​e​r​e​d by O​S​Q​A