Running 0.10.12 with WinPCap 3.1 beta4 on an XP SP2, 2.4GHz/1.5GB RAM.
Everything worked ok for years, but a few weeks ago Ethereal became extremely
slow. Starting a capture (with "Display packets in real time") takes abt 20
secs, and all this time CPU is at 100%. Two processes, svchost.exe and services.
exe are eating all the CPU. After capture is running and no packets arrive, the
CPU usage drops to <5% and the Ethereal GUI is usable for checking the packets.
When a *single* packet is captured, the CPU goes back to 100% with "services"
and "svchost" eating cpu for a few seconds, and the GUI freezes. With this setup
I can analyze about 0.25 packets per second, which is not quite up to par with
my previous experience ;-)
Sysinternal's "filemon" shows that while the CPU is high, ethereal and svchost
do abt. 800 accesses/second to the file system, to places like C:\Documents and
Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.
pbk (which is empty) and writes to c:\windows\debug\userenv.log the following
kinds of lines:
"USERENV(7d8.704) 17:00:01:287 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(ef0.484) 17:00:01:319 ProcessAutoexec: Cannot process autoexec.bat.
"
"regmon" shows that svchost.exe and servces.exe generate abt. 10000 registry
accesses per second. It seems like they are reading all over the registry, but
mostly in the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum -area.
I've tried the obvious (reboot, running with administrative rights,
uninstalling/re-installing ethereal & winpcap), to no help. My other computers
work flawlessly with Ethereal. Any ideas what might be causing Ethereal to run
this slow ?
--Matti