Wireshark Hints: be aware of your current config!

After upgrading Wireshark to version 2.4.0rc1 today I suddenly realized that PCAP files began to open very slowly. No, not just very slowly, but waaaay too sloooow:

12 MB file was opened in 45 seconds! 143 MB file was opened in 5 minutes and Wireshark took more than 2,5 Gigs of RAM.

“Hmmm, what could be the problem”, I thought…

So I just downgraded Wireshark to ver. 2.2.7, the latest stable release, and… nothing changed. The same speed. Alright, let’s make next step: I reinstalled 2.4.0rc1 again, but this time all personal configuration (profiles, filters) has been moved to another place (for sure I’m not so crazy to just delete it :-).

This time the problem was gone, and all files was opened very quickly, as it should be. I thought about what part of personal configuration can cause such a slowness? Profiles, display filters, GeoIP… And suddenly I realized what the reason is. The case here is that some time ago I did a little task that assumed SSL decryption. As a part of this project I arranged SSLKEYLOGFILE variable to grab browser’s SSL session keys.

After the project was finished I didn’t remove all my settings for decryption and session keys continued to accumulate until my keylog file reached about 10MB in size.

That’s why during reading every trace file Wireshark tried to find and apply session keys to decrypt SSL connections found in a trace. You can guess how much of them were in 10MB-size file at the moment!

So I cleared keyfile, disabled it in “Preferences-Protocols-SSL” menu and after that file opened in 0.2 sec instead of 45+ sec.

This is the hint: Be aware of your config. There are some settings that can make your Wireshark very slow. And don’t forget do clear or disable your SSL keylog file if you don’t need it anymore!

Otherwise eventually you could became wondering “what’s happened to my Wireshark?”

UPD. 

Tom LaBaude in his tweet asked a very reasonable question: is this setting stored per-profile or globally? In case of per-profile setting we could just make “SSL” profile and use SSL keylog only there.

I checked it and can confirm, that the setting is stored in ‘preferences’ file on per-profile basis, therefore this is valid workaround. Turn SSL decoding setting ‘ON’ only in “SSL” profile and it will not affect any other profile.

Thanks for that comment!

Поделиться
  •  
  •  
  •  
  •