This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

It has come to my attention here at work, when one of the programmers here was testing calls to an application he noticed that it takes 270ms to get a response. He then installed Wireshark and ran the same test calls to the same app and the response time was 200ms faster. So when I found out about this I tested on 2 machines one with Wireshark and one without. The one without, the test calls responded at 270ms. The one with Wireshark responded at 70ms.

So my question is what network files does Wireshark update that would cause such a change?

Thank you, Greg Forster Sr. Network Engineer

asked 23 Mar '17, 12:44

gforster67's gravatar image

gforster67
6112
accept rate: 0%


I'm not entirely sure what you mean by "network files" - probably you talk about the system's network stack?

The most common reason for things working differently when Wireshark is running is that it enables promiscuous mode on the network card it captures on. That results in packets being accepted that otherwise would not have been, for which the most common reason is a wrong destination MAC address. Or in other words: if a packet arrives with a MAC address different than the one of the network card, it will not be accepted unless Wireshark is capturing.

So my advice would be this:

  • check the destination MAC addresses of the incoming packets. Compare them to the network card MAC. Almost always the MAC is slightly off.
  • if the MAC is correct, check if the application is also faster when Wireshark isn't running. If it's also faster without Wireshark running (but being installed), something in the network stack is behaving differently.
permanent link

answered 23 Mar '17, 12:54

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 23 Mar '17, 12:54

Jasper,

I understand your answer and it is not when Wireshark is running vs. not running. It is when Wireshark is installed vs. not installed that this is happening.

(23 Mar '17, 13:06) gforster67

Interesting, I think that's the first time I hear that. Is this Windows, and WinPCAP, or are you using npcap instead?

If it's Windows: can you check if you can uninstall Wireshark but keep WinPCAP installed to check if it still makes a difference?

(23 Mar '17, 13:12) Jasper ♦♦

I am working on that now as soon as I am done I will let you know.

(23 Mar '17, 13:14) gforster67

It looks like WinPCAP is what makes the change. With WinPCAP uninstalled the response is 270ms-300ms, with WinPCAP installed the response time changes to 50ms-75ms.

(24 Mar '17, 05:09) gforster67

Hm okay, in this case we need someone who knows what WinPCAP does exactly... I'll see if I can get someone to take a look at this.

(24 Mar '17, 14:27) Jasper ♦♦

If memory serves me right, WinPCAP installs a service. Depending on your settings, this service may be started automatically (default?) or not. What happens if you stop that service?

(24 Mar '17, 23:48) jmayer

There's some info here about WinPcap internals, in particular the NPF driver and how it fits in the stack.

Just guessing out loud, but if installing WinPcap improves latency, I suspect that it might be inadvertently "removing" or "diverting" something else from the stack that's adding the latency.

(25 Mar '17, 05:03) grahamb ♦
showing 5 of 7 show 2 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×146

question asked: 23 Mar '17, 12:44

question was seen: 712 times

last updated: 25 Mar '17, 05:03

p​o​w​e​r​e​d by O​S​Q​A