Join us June 15-20 for SharkFest'24 US, the official Wireshark Developer & User Conference

Wireshark-users: [Wireshark-users] SMB Trans2 FILE_QUERY_INFO Query File Standard Info - what's g

From: "Surlow, Jim" <jim_surlow@xxxxxxxxxxxxxx>
Date: Thu, 22 Feb 2007 10:01:13 -0700

Apologies – as this is more of a problem with SMB client than with Wireshark/Ethereal.  But, as I saw a similar thread from 3/2005 from the list, maybe someone could help me: 


I am seeing hundreds of SMB/Trans2/FILE_QUERY_INFO/Query File Standard Info requests and responses following a file open and prior to the file close. 


The clients are running a custom application in our Citrix environment running on Windows 2003.  We see the same behavior regardless as to whether the file server is Samba, NetApp, or Windows 2000.  The custom application, is just reading ini files – and so that is anywhere between a 2-5 packet exchange.  The fact that we see hundreds of “Query File Standard Info” requests and responses (200-300 could occur in the same half second of time) is very confusing to us.  And of course, it is burying our servers.



1)       Anyone have a clue as to this behavior?

2)       What is the difference between:  Query File Standard Info, Query File Basic Info, Query File EA Info?