none
Strange SMB1 traffic during mouse move over files in File Explorer RRS feed

  • Question

  • We are parsing and intercepting smb traffic in our product. can anyone help to explain the below


    Client and Server

    client is : Win2K Prof English with SP4, multilanguage set to Chinese Simplified

    server is : Win2003 Server English

     

    User scenarios and symptoms:

    Slow mouse move when hovering over files (on a remote share) in Explorer:

    1) when moving over a file & the ToolTip is opened, the mouse seems to hang.

    2) when selecting a file (in Explorer) & then trying to move to another file, it hanged again.

     

     

    Following is capture segment of a network trace of request/responses, taken at the client size. 
     

                  Pck#    Time     src IP         dst IP                                         

     

    < Req < 13 0.501996 10.104.19.7 10.100.5.68 SMB Trans2 Request, FIND_FIRST2, Pattern: \07080\isos\AREA01\cd2010801.err

    > Rep > 14 0.502547 10.100.5.68 10.104.19.7 SMB Trans2 Response, FIND_FIRST2, Files: cd2010801.err

    < Req < 15 0.503136 10.104.19.7 10.100.5.68 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \07080\isos\AREA01\cd2010801.err\desktop.ini

    > Rep > 16 0.517058 10.100.5.68 10.104.19.7 SMB Locking AndX Request, FID: 0x800f

    < Req < 17 0.517362 10.104.19.7 10.100.5.68 SMB Close Request, FID: 0x800f

     

    The issue is seen with packets #14 + #15. In the reply packet #14, we see that "cd2010801.err" is a file and *NOT* a directory. Then, in packet #15 the client is applying QUERY_PATH_INFO on \07080\isos\AREA01\cd2010801.err\desktop.ini although he received that cd2010801.err is a file and so the path is invalid

     

    1. Why does the client attempts a QUERY_Path_INFO on "\07080\isos\AREA01\cd2010801.err\desktop.ini" although cd2010801.err is a file and not a directory.


    2. Is this a known bug/issue ? serial number ? any related KB articles ? workaround?
     
    Thank you, --Yariv

    Thursday, February 12, 2009 1:43 PM

Answers

  • Hello Yariv,
       I have not seen any further discussion from you regarding this topic. Are you still looking into this issue?

    Thanks
    John Dunning
    Senior Escalation Engineer Microsoft Corporation
    US-CSS DSC PROTOCOL TEAM
    • Marked as answer by John Dunning Friday, February 27, 2009 9:46 PM
    Thursday, February 19, 2009 7:45 PM

All replies

  • Hello Yariv,

       Thanks for your questions.  We will look at this issue.  We will post our finding when we complete our investigation. In the meantime please take a look at the document [MS-SMB] for possible answers.

    http://msdn.microsoft.com/en-us/library/cc246231(PROT.13).aspx


    Thanks

    John Dunning

    Senior Escalation Engineer Microsoft Corporation

    US-CSS DSC PROTOCOL TEAM


    Thursday, February 12, 2009 4:58 PM
  • Hello Yariv,
       My initial research indicates that it would be good for me to have the entire network capture. If possible can you send it to the following email address?

    johndun_007@hotmail.com

    Thanks

    John Dunning

    Senior Escalation Engineer Microsoft Corporation

    US-CSS DSC PROTOCOL TEAM

    Thursday, February 12, 2009 5:45 PM
  • Hello Yarik,
       I have tried reproing this but I don't have the same client server configuration that you have. Where the client is 2003 and the server is 2008 I do not see this behavior in the associated network capture.
    Have you tested this with other client operating systems?

    Thanks

    John Dunning

    Senior Escalation Engineer Microsoft Corporation

    US-CSS DSC PROTOCOL TEAM

    Thursday, February 12, 2009 8:19 PM
  • Hello Yariv,
       I have not seen any further discussion from you regarding this topic. Are you still looking into this issue?

    Thanks
    John Dunning
    Senior Escalation Engineer Microsoft Corporation
    US-CSS DSC PROTOCOL TEAM
    • Marked as answer by John Dunning Friday, February 27, 2009 9:46 PM
    Thursday, February 19, 2009 7:45 PM