Wireshark-users: Re: [Wireshark-users] SMB Question

From: Sake Blok <sake@xxxxxxxxxx>
Date: Tue, 15 Apr 2008 19:49:03 +0200
On Mon, Apr 14, 2008 at 09:24:36PM -0400, St Onge,Adam wrote:
> I am having a problem with slow response over an oc3 wan link using
> Microsoft office documents, specifically excel documents. The users are
> attempting to open roughly a 100kb file and takes approx 90 seconds to
> open.  I sniffed the traffic and have been combing through the frames
> with Wireshark but I see a confusing pattern. The workstation frequently
> attempts "NT Create Andx Request" and the server then immediately
> returns with "Error: Status_Access_Denied".  This pattern repeats over
> and over again during this conversation and I suspect it may have
> something to do with the slow response these users are experiencing. I
> have spent a lot of time on google trying to determine this and keep
> coming up empty handed...

Do all these "NT Create Andx Request" and "Error: Status_Access_Denied"
messages come before the actual transfer of the file takes place?
If so, what is the total delay of these messages?
(ie whats the time difference between the first "NT Create Andx Request"
and the last "Error: Status_Access_Denied" message?).

If that delay does not come close to 90 seconds, than that's *not* 
your issue and you need to look in your trace for other sources of
delay. It helps if you add a column to your Wireshark with the
"Delta time displayed" (go to "Edit -> Preferences -> columns").

If the delay is mainly caused by these failing "NT Create Andx Request"
messages, then you will need to troublshoot your Windows environment
to find out why it is trying this over and over again?


Hope this helps,
Cheers,
    Sake