Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] SMB Question

From: Hansang Bae <hbae@xxxxxxxxxx>
Date: Wed, 16 Apr 2008 23:25:00 -0400
St Onge,Adam wrote:
I am having a problem with slow response over an oc3 wan link using Microsoft office documents, specifically excel documents. The users are attempting to open roughly a 100kb file and takes approx 90 seconds to open. I sniffed the traffic and have been combing through the frames with Wireshark but I see a confusing pattern. The workstation frequently attempts �NT Create Andx Request� and the server then immediately returns with �Error: Status_Access_Denied�. This pattern repeats over and over again during this conversation and I suspect it may have something to do with the slow response these users are experiencing. I have spent a lot of time on google trying to determine this and keep coming up empty handed�


Well, CIFS blows over the WAN. But 33ms RTT isn't *THAT* bad. However, depending on the application, it can severely degrade performance. For us, we opted to go with Riverbed to accelerate protocols like CIFS.

The AndX request should have the file or directory name in there. Do the users have access to it? Does the spreadsheet have a lot of links in it? Is it marked as sharable? It turns out that MS Office apps react differently when doing things like file/open/save then pure CIFS. Here's how I would troubleshoot it.

1)  Make sure *NO ONE* has the spreadsheet open.  Copy it for example.
2)  Open it locally and see what the interaction is.
3) Add in the 33ms per packet roundtrip and see if it comes to 90seconds. If it does, you're done troubleshooting.

Another thing you can try. What happens if you open a word document of similar size? How long does that take? Also, what is in the AndX Response from the server? Open up the FID section and see what the file attribute is and what the share access is set to. You should also look at file locks to see if someone has a lock on it. One final note, there may be some Oplock issues going on here. See if there are OpLocks going on causing you grief.



--

Thanks,
Hansang