Because this is the way modern operating systems and apps work ;-)
Seriously, a lot of applications need to determine what is the appropriate configuration or system file to use to perform a function. Unless the location is hard-coded they will have some of hierarchical order to navigate in order to determine the best option. For instance Wireshark itself determines whether the user has their own config file, the system has a global configuration file or whether their is no configuration. In order to find whether these files exists it needs to enumerate through the possible locations in order. Thus if you could look at your PC system calls when it starts wireshark you might see similar pairs of "Does this file exist" questions and "No it doesn't" answers.
The same goes for network aware applications. DNS, the protocol by which names resolve to IP addresses is a classic example. Many DNS request will result in either no answer or negative answer as a client tries to determine where it can find the service it is look ing for.
For your specific example, googling indicates that TM_CFW.sys is assocated with Trend Micro, the anti-virus program. I suspect the configuration is such that on Steve's machine, because he has a home drive or roaming profile, then when TM starts it looks to see if a more recent version of the file exists on the network (rather than on the local machine). Not finding it, I guess it just uses the local file. Not knowing anything about the way TM works (or much about Windows roaming profiles either) I am only speculating.
So in summary, network queries resulting in negative answers (or even no answers) are a normal part of an application trying to get an optimum running solution - effectively discovering what is out there. However clearly it is also an opportunity to examine whether the application has been deployed or configured optimally. For example, many years ago I was asked to examine why network login times were so slow on remote office PCs. After using ethereal (it was ~2000) if found misconfigured DNS suffixes, meaning there were lots of redundant queries, as well as attempts to resolve from WINS, Novell NDS and I think even Netbeui broadcasts. The whole process of finding the correct login server took around 45 seconds because of the need to weave through all this mechanisms (and either wait for negative answers or simply timeout).
Wireshark will show you what is happening, but you will likely need to chase up information resources specific to the app or OS to determine what is appropriate. (And unfortunately too few app/OS vendors publish explicit information on this)
Regards, Martin
On Tue, Nov 11, 2008 at 8:35 AM, Jeff -
<unix_core@xxxxxxxxxxxxx> wrote:
Our network uses a Windows 2003 server as our file server. Has a basic shared folder and users map it to their machine.
Using Wireshark I'm seeing tons of activity like the following:
No. Time SRC DST Protocol INFO
10956 59.354649 192.168.143.23 192.168.143.1 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \steve
10957 59.354750 192.168.143.1 192.168.143.23 SMB Trans2 Response, QUERY_PATH_INFO
10958 59.355077 192.168.143.23 192.168.143.1 SMB Trans2 Request, FIND_FIRST2, Pattern: \steve\TM_CFW.sys
10959 59.355306 192.168.143.1 192.168.143.23 SMB Trans2 Response, FIND_FIRST2, Error: STATUS_NO_SUCH_FILE
The user and files vary.
Many users seem to be always searching for files on the file server which do not exist. The files it looks for seems like "system" files and is never files that are on our file server. Anyone know what this could mean and/or what could be causing this?
=
Trend Micro oem software
Secure your home network against online threats - Free Download.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=ea524f6bfc6d25b5695bca42dd6f3d8c
--
Powered by Outblaze
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
--
Regards, Martin
MartinVisser99@xxxxxxxxx
