Why does Wireshark hang after I stop a capture?
The most likely reason for this is that Wireshark is trying to look up an IP address in the capture to convert it to a name (so that, for example, it can display the name in the source address or destination address columns), and that lookup process is taking a very long time. Wireshark calls a routine in the OS of the machine on which it’s running to convert of IP addresses to the corresponding names. That routine probably does one or more of: • a search of a system file listing IP addresses and names; • a lookup using DNS; • on UNIX systems, a lookup using NIS; • on Windows systems, a NetBIOS-over-TCP query. If a DNS server that’s used in an address lookup is not responding, the lookup will fail, but will only fail after a timeout while the system routine waits for a reply. In addition, on Windows systems, if the DNS lookup of the address fails, either because the server isn’t responding or because there are no records in the DNS that could be used to map the address to a name, a Net
