Ethereal-users: [Ethereal-users] Re: Ethereal slow, svcchost.exe and services.exe eating all c

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Matti Suuronen <matti.suuronen@xxxxxxxxx>
Date: Thu, 18 Aug 2005 08:44:01 +0300
Hi,

I got this to work, I just needed to upgrade to WinPcap 3.1. Thanks for
 your help Guy and Ulf, it saved me from doing a complete OS re-install ;-)

Anyway, here are some answers so that others might gain as well:

Guy Harris wrote:
I have the impression that SP2 hasn't been around for years; did the behavior change occur after an update, or did the update occur before the behavior change?
You are correct, and neither has 0.10.12 been out for long. A more accurate description would have been: "I've been using Ethereal on this computer for years without problems." Anyway, the SP2 was not a problem, Ethereal worked ok with it. Now that I came to think of it, the change came about when I upgraded to 0.10.12. Initially I did not thoroughly test it, just checked to see that it stars and displays the correct version info, since I did the security update "just to be sure" ;-). Uninstalling and re-installing 0.10.11 later did not help. I am not sure whether I tried a previous version of WinPcap, which I of course should have done.
Is svchost.exe thrashing like that even when Ethereal *isn't* running? 

No problems with svchost.exe or services.exe otherwise, just with
Ethereal running. The computer is rather well taken care of, so viruses
- although certainly possible - would not be my first bet. Of course the problem might be in a corrupted/infested Ethereal package. To detect corruption, I re-downloaded the package and it compared ok with the original used for the installation.
If it's only thrashing when Ethereal is running, does it happen even with non-"Update list of packets in real time" captures, or does it only happen with "Update list of packets in real time"? 

The problem occured even before the capture started, for example when
selecting which interface to capture on. Therefore I do not think the
real-time display played a role here. I do not have WinDump installed, so I could not check whether the symptoms show up there as well.
I verified the problem by re-installing 0.10.12 and WinPcap 3.1beta4 and sure enough the problem came back. Installing WinPcap 3.1 fixed it again, and now regmon and filemon are showing just the usual traffic.
This just makes me wonder why I have not seen reports of such behaviour from others, since it seems to have been a problem with WinPcap 3.1beta4. Perhaps my setup is just tad different ;-) 

--Matti