Skip to content

Opening Of Capture Files In Wireshark Is Very Slow!

You open your file and it takes a long time to load because Wireshark is slow?

I had the same problem even with very small files (1 MB). From one day to the other my Wireshark just wasn’t able anymore to do it fast.

I was reading several forum for 2 days (I didn’t spend all my time for it) to understand why my Wireshark is slow. It was a very annoying problem and I saw many people having the same problem.

The suggested solution in the forum was to disable the DNS resolution by unchecking “Edit >> Preferences >> Name Resolution >> Resolve Network (IP) addresses”.

Wireshark is slow

Unfortunately it did not solve my problem.

 

What was my solution?

In October 2017 I was visiting a presentation for HTTP2 at Velocity Conference in London ( I really recommend you to go there).

During that presentation I set the environment variable SSLKEYLOGFILE which points to a file and keep track of key logs.
It is useful in case you want external programs to decrypt TLS traffic.

You can also decrypt the traffic with Wireshark automatically by telling it where to find the key file via “Edit >> Preferences >> Protocols >> SSL >> (Pre)-Master-Secret log filename“.

This is exactly what i did and it did not cause problems at the beginning.
Now 3 month later (even not remembering I configured it) I was running into the problem with the file opening.

It seems that Wireshark is trying to decrypt the traffic with each of the keys in the log file and in case the key log file reaches a significant amount of size, Wireshark just takes ages to load your file.

My solution was to remove the file name from the field (Pre)-Master-Secret log filename in Wireshark.

 

Summary

Probably there are many more reasons why your files are not loading fast. In case you know other reasons, I am happy to hear them.

If you consider some parts of this post, you will be more successful in analyzing packet captures with Wireshark!

If you want to know more about it, join my Slack Workspace or send me an email.
Stay up-to-date and subscribe to my Newsletter!

Published inWireshark

2 Comments

  1. Phil Phil

    Thank you for this! I did the exact same thing – couldn’t figure out why a 17MB file opened in 1 second on one laptop and 13.25 minutes on another! It was the SSL decryption based on the wireshark preference just like you said!

  2. Rajesh Rajesh

    Great! Really helped. I was stuck with this long time.

    Thanks for your post.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please wait...

Subscribe to my newsletter

Want to be updated when a new article is published? Enter your email address and name below to be the first to know.