It has come to my attention here at work, when one of the programmers here was testing calls to an application he noticed that it takes 270ms to get a response. He then installed Wireshark and ran the same test calls to the same app and the response time was 200ms faster. So when I found out about this I tested on 2 machines one with Wireshark and one without. The one without, the test calls responded at 270ms. The one with Wireshark responded at 70ms. So my question is what network files does Wireshark update that would cause such a change? Thank you, Greg Forster Sr. Network Engineer asked 23 Mar '17, 12:44 gforster67 |
One Answer:
I'm not entirely sure what you mean by "network files" - probably you talk about the system's network stack? The most common reason for things working differently when Wireshark is running is that it enables promiscuous mode on the network card it captures on. That results in packets being accepted that otherwise would not have been, for which the most common reason is a wrong destination MAC address. Or in other words: if a packet arrives with a MAC address different than the one of the network card, it will not be accepted unless Wireshark is capturing. So my advice would be this:
answered 23 Mar '17, 12:54 Jasper ♦♦ edited 23 Mar '17, 12:54 showing 5 of 7 show 2 more comments |
Jasper,
I understand your answer and it is not when Wireshark is running vs. not running. It is when Wireshark is installed vs. not installed that this is happening.
Interesting, I think that's the first time I hear that. Is this Windows, and WinPCAP, or are you using npcap instead?
If it's Windows: can you check if you can uninstall Wireshark but keep WinPCAP installed to check if it still makes a difference?
I am working on that now as soon as I am done I will let you know.
It looks like WinPCAP is what makes the change. With WinPCAP uninstalled the response is 270ms-300ms, with WinPCAP installed the response time changes to 50ms-75ms.
Hm okay, in this case we need someone who knows what WinPCAP does exactly... I'll see if I can get someone to take a look at this.
If memory serves me right, WinPCAP installs a service. Depending on your settings, this service may be started automatically (default?) or not. What happens if you stop that service?
There's some info here about WinPcap internals, in particular the NPF driver and how it fits in the stack.
Just guessing out loud, but if installing WinPcap improves latency, I suspect that it might be inadvertently "removing" or "diverting" something else from the stack that's adding the latency.