Articles

Wireshark Slow Network Diagnosis: Latency Root Cause (2026)

April 6, 2026 5 min read

The Wireshark "latency" metric is misleading; it’s not measuring network round-trip time but rather the delay between a packet arriving at your network interface and Wireshark processing it.

Let’s see Wireshark in action. Imagine you’re capturing traffic on a busy server. You’re seeing high "latency" values, and you’re worried about network congestion.

# Example capture setup
sudo wireshark -i eth0 -w capture.pcapng

When Wireshark displays a packet with a high latency, it looks something like this in the "Time" column: 0.567890. This number isn’t the time it took to traverse the network; it’s the time since the previous packet was processed by Wireshark.

The core problem is that Wireshark, by default, is a single-threaded application that runs in user space. When network traffic is high, the kernel’s network stack buffers packets. Wireshark then has to pull these packets from the kernel’s buffer into its own buffer, and then process them one by one. This processing includes dissecting the packet, applying display filters, and writing it to disk if you’re saving the capture. If any of these steps take too long, or if packets are arriving faster than Wireshark can process them, the latency metric will climb.

Here are the most common reasons for high Wireshark latency, and how to fix them:

  1. Display Filters are Too Complex or Applied Incorrectly: You’re filtering for tcp.flags.syn == 1 and ip.addr == 192.168.1.100 but also http.request.method == "GET". Wireshark has to evaluate all these conditions for every packet.

    • Diagnosis: In the Wireshark GUI, go to Analyze -> Display Filter Expression.... Look at your current filter. If it’s complex, try simplifying it or using a capture filter instead.
    • Fix: Use capture filters before Wireshark starts processing. For example, to capture only HTTP traffic from a specific IP, use tcp port 80 or tcp port 443 and host 192.168.1.100. This is applied at the kernel level and drastically reduces the number of packets Wireshark has to look at.
    • Why it works: Capture filters discard unwanted packets at the driver level before they even reach Wireshark’s processing queue, minimizing the workload.

  2. Saving to a Slow Disk: You’re capturing to a USB drive or a network share (\\server\share\capture.pcapng). Wireshark needs to write every packet to disk.

    • Diagnosis: Check the write speed of your target storage. Use tools like iostat (Linux) or CrystalDiskMark (Windows).
    • Fix: Capture to a fast local SSD. If you must save to a network share, ensure it has very high throughput and low latency. sudo wireshark -i eth0 -w /mnt/fast_ssd/capture.pcapng
    • Why it works: Faster disk I/O means Wireshark spends less time waiting for the disk to acknowledge writes, allowing it to process incoming packets more quickly.

  3. Insufficient CPU Resources / High System Load: The machine running Wireshark is busy with other tasks, leaving little CPU time for Wireshark to dissect and process packets.

    • Diagnosis: Use top or htop (Linux) or Task Manager (Windows) to observe CPU usage. If wireshark or tshark is consistently consuming a high percentage of CPU, or if overall system CPU is near 100%, this is a factor.
    • Fix: Dedicate a more powerful machine to packet capture, or stop other resource-intensive applications. If using tshark, consider running it with nice to give it lower priority: sudo nice -n 19 tshark -i eth0 -w capture.pcapng.
    • Why it works: By ensuring Wireshark has sufficient CPU cycles, it can perform its dissection and buffering tasks more efficiently, reducing the time packets spend waiting.

  4. Large Number of Packets / High Packet Rate: You’re capturing on a very busy network segment (e.g., a server processing thousands of requests per second). Wireshark’s default buffer sizes might be too small.

    • Diagnosis: Observe the "Packets/s" and "Bytes/s" counters in Wireshark’s status bar. If these are very high, your system might be overwhelmed.
    • Fix: Use tshark (Wireshark’s command-line equivalent) with increased buffer sizes. For example, sudo tshark -i eth0 -B 10000000 -w capture.pcapng (this sets the buffer size to 10MB). The exact optimal value depends on your system.
    • Why it works: A larger kernel buffer allows Wireshark more breathing room to catch up when packet arrival rates temporarily exceed its processing speed, preventing packet drops and reducing the observed latency.

  5. Wireshark GUI Overload (if using GUI): The graphical interface itself consumes CPU and memory. Displaying thousands of packets in real-time, especially with complex coloring rules or statistics windows open, taxes the system.

    • Diagnosis: Close all unnecessary windows and panels in Wireshark. Disable any custom coloring rules.
    • Fix: Use tshark for captures where real-time GUI display is not essential. sudo tshark -i eth0 -w capture.pcapng
    • Why it works: By removing the overhead of rendering the GUI, tshark can dedicate more resources to packet capture and processing, leading to lower latency.

  6. Plugin Issues or Excessive Protocol Dissection: A poorly written Wireshark plugin or an unusually large number of complex protocols being dissected (e.g., deep packet inspection of encrypted traffic with a custom dissector) can slow down processing.

    • Diagnosis: Temporarily disable third-party plugins in Wireshark’s preferences (Edit -> Preferences -> Protocols). Observe if latency improves.
    • Fix: Update or remove problematic plugins. If a specific protocol dissection is causing issues, you can disable its dissector under Edit -> Preferences -> Protocols, though this will prevent Wireshark from understanding that protocol.
    • Why it works: Reducing the amount of complex processing Wireshark needs to do per packet, whether it’s for a plugin or a standard dissector, frees up CPU time for more efficient capture.

  7. Hardware Offloading Issues: Network interface card (NIC) features like TCP segmentation offload (TSO) or large receive offload (LRO) can sometimes cause issues with packet capture if not handled correctly by the driver.

    • Diagnosis: Check NIC offload settings using ethtool -k eth0 (Linux).
    • Fix: Experiment with disabling specific offloads, e.g., sudo ethtool -K eth0 tso off gro off. Be cautious, as this can impact network performance.
    • Why it works: Sometimes, offloaded packets are presented to the capture mechanism in a way that’s harder for Wireshark to process efficiently, or the driver might drop packets before Wireshark sees them. Disabling these features forces the CPU to handle more of the packet processing, which can paradoxically improve capture accuracy and reduce observed latency in some cases.

After fixing these, the next error you’ll encounter is the "packets dropped by kernel" warning.

More Deep Dives in Wireshark

Want structured learning?

Take the full Wireshark course →