Without having looked at the SMB dissector, there could be a lot of housekeeping going on in the background, w.r.t. keeping track of chunks, searches for file handles to names, etc.Things add up quickly with large files like this.
Jaap
> On 6 May 2022, at 00:42, Richard Sharpe <realrichardsharpe@xxxxxxxxx> wrote:
>
> Hi folks,
>
> I am often handling SMB2 captures with lots of compound requests.
>
> I am looking at one at the moment that has about 300,000 packets in
> it, about half of which are SMB2 requests but they are mostly compound
> requests with three SMB2 requests in each compound:
>
> 1. CREATE some file,
> 2. QueryInfo the Security Descriptor for the file,
> 3. CLOSE the file.
>
> This takes an extraordinary amount of time to load even though I have
> 64GB on that machine. (Around 10 minutes or more.)
>
> Moreover, other captures with a comparable number of packets but no,
> or fewer, SMB compound requests take far less time to load.
>
> Does anyone have any ideas on why this is so?
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)(传说杜康是酒的发明者)