This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Win 2012 R2 VM - Network much faster after Wireshark was started…

0
1

Dear WireShark Team, I have a very interesting behavior on some VM's installed with plain Windows 2012 R2 Server using PVSCSI and VMXNET3 drivers on vSphere 6.

Using a database client application it takes a x amount of time to load the data from the db to the VM. For troubleshooting reasons I installed WireShark as the loading performance was not sufficient.

Now the cool thing is that starting WireShark and closing it again and then using the database client application suddenly everything is very fast! This performance improvement stays there until the VM is restarted. Opening and closing WireShark again is then bringing the VM network speed back to it's high performance.

It seems that during the start of WireShark something is changed/reinitialized on the Windows networking parameters. Since I'm not very fund of reading source code I was wondering if any of you guys can tell me what is done on the Windows network side while starting WireShark or if you might have any hints regarding this.

Regards LC

asked 12 Feb '16, 02:13

Linuxcrash's gravatar image

Linuxcrash
6123
accept rate: 0%

we have exactly the same problem! and we thought we're getting nuts here. you have some news on this?

(13 Feb '16, 06:50) p199y

i wanted to post this question, since i saw someone already has the same problem i post this here, maybe some usefull information:

We have a performance issue with our intranet website. we checked network settings on our Cisco switches, web server configuration, SQL server configuration, OS settings, logs and so on but we could not grip where the problem is coming from. so we tried if we can find something by capturing some LAN traffic with Wireshark, then something unexpected happened: when we start Wireshark on the web server (Win 2012 R2), the performance issue instantly disappears. We can close Wireshark, restart the IIS Webservice, disable / enable the network connection, the performance issues does not appear anymore until we restart the OS of the Webserver. now we found out, that when we only start dumpcap in a cmd window the same effect happens: no performance issues.

you can imagine this leaves us kind of buffeled since we cant understand how starting wireshark to debug a problem actually solves it. is there anyone who can explain what exactly happens on OS level when dumpcap starts?

BTW: also starting windump.exe has the same effect.

also to mention: the NPF service / winpcap Driver starts automatically with the OS.

We run our webserver on a ESXi 6.0 Update 1 (newest Patch releases) Windows Server 2012 R2 Guest OS, VMXNET3 Drivers.

(13 Feb '16, 07:00) p199y

One Answer:

2

Good news, we found a solution that worked for us:

try this: disable LRO aka RSC on your VM:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2129176

good luck

answered 13 Feb '16, 12:21

p199y's gravatar image

p199y
6113
accept rate: 100%

Hi All, After digging around with the VMXNET3 options I can now confirm the answer post.

There are two settings called Recv Segment Coalescing (IPv4) and Recv Segment Coalescing (IPv6) in the advanced network card settings that are enabled and for some reason have a very negative impact on MSSQL TCP traffic. As soon as these two settings were disabled the loading times on all VM’s have dropped from 25s to 3s and it seems to stay there constantly.

Thanks for the help everyone!

(15 Feb '16, 01:28) Linuxcrash