Severe performance issues in Follow -> Save As raw workflow
Windows 10, 64-bit, Wireshark 3.4.0 - 3.4.4
A common workflow for me is:
- Capture a bunch of TCP/IP traffic.
- Find and follow the conversation I'm interested in, typically consisting of arbitrary binary data
- Save the raw bytes (payloads only, excluding protocol headers) of the conversation to a file for later analysis and processing
The way I do this is:
- Start a capture
- Wait for whatever I'm looking for to finish
- Stop the capture
- Find a packet in the conversation
- Right click -> Follow conversation
- In the conversation window, select "Raw" from the "Show Data As" dropdown, so that "Save As" saves raw data
- "Save As"
- Close windows, all done.
However, I consistently run into severe performance issues when selecting "Raw" from "Show Data As". For example, in one conversation consisting of 36 MB of data across 748 client packets and 138 server packets (267 turns):
- Selecting "Ascii" takes approximately 4 seconds to complete.
- Selecting "Raw" (or any other format really) takes approximately 6 minutes to complete.
In order to save the raw data, though, AFAIK I must select "Raw" and I must wait for it to complete (saving while it is processing results in an incomplete output file).
This means that the only way I know how to save the raw bytes from a conversation takes 6 minutes.
This is a little intense.
I'd like to request two things:
- Improve the performance of viewing conversations in non-Ascii formats, and/or
- Just make a "Save As Raw" button on the conversation window, or even in the main window context menu
This machine has 8x i9's running at 4.8 GHz, with 64 GB RAM; it's not a super computer but it's nothing to shake a stick at, either. So, 6 minutes for whatever is happening in that window seems a bit odd.