locked
Excessive SMB network traffic when network drives are mapped RRS feed

  • Question

  • Hi,

    I've got a strange issue here that started occuring maybe a month ago.  I started noticing the network activity on the network switch for this particular computer was very active.  After some troubleshooting I discovered that by disconnecting the mapped network drives, the activity went away.  I recently installed the network monitoriing software and confirmed that when the mapped network drives are connected there is a lot of what appears to be looping SMB traffic.  There appears to be a pattern in the logs, but I couldn't tell you what it means.

    Here's a little background on what I've done.  I've confirmed that no other computer on my network exhibits the same issue.  The computer in question is a Dell Latitude E6500 laptop dual booting between XP & Win7 prof.  The network is a single domain controller network.  The domain controller is a Dell PowerEdge 2900 running Server 2003.  The problem occurs in both the XP & Win7 operating systems on the laptop, as well as both the LAN NIC & wireless NIC.  I've tried reinstalling the NIC drivers on the laptop and that hasn't helped.

    I've tried mapping a network share on the laptop from another computer and network activity does not appear to be excessive.  If anyone has any ideas or suggestions, please let me know.  If there's any additional information you'd like, again let me know.  I've copied and pasted the repeating information from the netmon description column.

    Thanks

    SMB:C; Transact2, Query FS Info, Query FS Attribute Info (NT)
    SMB:R; Transact2, Query FS Info, Query FS Attribute Info (NT), FS = NTFS
    SMB:C; Transact2, Query FS Info, Query FS Attribute Info (NT)
    SMB:R; Transact2, Query FS Info, Query FS Attribute Info (NT), FS = NTFS
    SMB:C; Nt Create Andx, FileName = \$Extend\$Quota:$Q:$INDEX_ALLOCATION
    SMB:R; Nt Create Andx, FID = 0x8002 (\$Extend\$Quota:$Q:$INDEX_ALLOCATION@#4283)
    SMB:C; Transact2, Query File Info, Query File Standard Info, FID = 0x8002 (\$Extend\$Quota:$Q:$INDEX_ALLOCATION@#4283)
    SMB:R; Transact2, Query File Info, Query File Standard Info, FID = 0x8002 (\$Extend\$Quota:$Q:$INDEX_ALLOCATION@#4283)
    SMB:C; Transact2, Query File Info, Query File Basic Info, FID = 0x8002 (\$Extend\$Quota:$Q:$INDEX_ALLOCATION@#4283)
    SMB:R; Transact2, Query File Info, Query File Basic Info, FID = 0x8002 (\$Extend\$Quota:$Q:$INDEX_ALLOCATION@#4283)
    SMB:C; Transact2, Query FS Info, Query FS Control Info
    SMB:R; Transact2, Query FS Info, Query FS Control Info
    SMB:C; Close, FID = 0x8002 , FileName=\$Extend\$Quota:$Q:$INDEX_ALLOCATION@#4283 
    SMB:R; Close, FID = 0x8002 , FileName=\$Extend\$Quota:$Q:$INDEX_ALLOCATION@#4283 
    SMB:C; Nt Create Andx, FileName = 
    SMB:R; Nt Create Andx, FID = 0x800A (NULL@#4293)
    SMB:C; Transact2, Query File Info, Query File Standard Info, FID = 0x800A (NULL@#4293)
    SMB:R; Transact2, Query File Info, Query File Standard Info, FID = 0x800A (NULL@#4293)
    SMB:C; Transact2, Query File Info, Query File Basic Info, FID = 0x800A (NULL@#4293)
    SMB:R; Transact2, Query File Info, Query File Basic Info, FID = 0x800A (NULL@#4293)
    SMB:C; Nt Transact, NT_TRANSACT_IOCTL, FID = 0x800A (NULL@#4293)
    SMB:R; Nt Transact, NT_TRANSACT_IOCTL - NT Status: System - Error, Code = (13) STATUS_INVALID_PARAMETER
    SMB:C; Close, FID = 0x800A , FileName=NULL@#4293 
    SMB:R; Close, FID = 0x800A , FileName=NULL@#4293 
    SMB:C; Transact2, Query FS Info, Query Full FS Size Info
    SMB:R; Transact2, Query FS Info, Query Full FS Size Info
    TCP:Flags=...A...., SrcPort=2271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1513351157, Ack=4110625763, Win=63203

    Josh


    • Edited by Legacy777 Tuesday, April 17, 2012 11:10 PM
    Tuesday, April 17, 2012 11:10 PM

All replies

  • Hmm, it seems a process is probing the mapped drives.  Can you tell me what are on these mapped drives?  Do you store any profile or roaming data on these drives?  When I look up $Extend\$Quota:$Q:$INDEX_ALLOCATION I do see other complaints, but not a concrete solution.

    Paul

    Wednesday, April 18, 2012 6:17 PM
  • Hi Paul,

    Thanks for the reply.  The mapped drives are just root drives of the server.  This is a small network and I just map the root drives using the admin share for ease of accessing files.  I've tried mapping non-admin shares and get the same results.

    I have it setup to map the home folder on the server for my user name.  Other than that I have the my documents directed to a folder in the home folder on the server.  I've tried other users that do not have home folder nor the my documents folder setup to point to the server, and again I get the same results.

    The one odd thing I recall when I was troubleshooting what exactly was the cause of the excess traffic, I had not booted into the windows 7 OS for a while and when I did I initially did not notice any issue with excessive traffic.  The previous network shares were mapped with the "persistant" switch so were already mapped.  Once I deleted the shares and recreated them, the problem ocurred.  I'm not sure why previous network shares would be ok, but any new ones cause a problem.

    I've scanned the computer for viruses with symantec endpoint and didn't see anything odd in the hijack logs.  Short of removing the drive from the laptop and scanning it on another computer from a cold boot, I have to assume it's clean of viruses/malware.

    I know that's not much to go on, but if you have any ideas or would like any additional information, please let me know.

    Thanks
    Josh


    • Edited by Legacy777 Thursday, April 19, 2012 1:26 AM
    Thursday, April 19, 2012 1:24 AM
  • Well I have some more information....nothing very conclusive, but it appears to be fixed now.

    So I did some more testing & logging with a new user so as to create a new profile.  I booted into the XP partition and everything appeared to be the same.  I then logged into the Win7 partition and I was getting a bunch of network activity even without any drives mapped.  I logged the traffic and this is what I got:

    MSRPC:c/o Request: unknown   Call=0xC21  Opnum=0x4C  Context=0x1  Hint=0x40 Warning: Octets trailer appends to authentication token
    MSRPC:c/o Response: unknown   Call=0xC21  Context=0x1  Hint=0x38  Cancels=0x0 
    MSRPC:c/o Request: unknown   Call=0xC22  Opnum=0x4C  Context=0x1  Hint=0x40 Warning: Octets trailer appends to authentication token
    MSRPC:c/o Response: unknown   Call=0xC22  Context=0x1  Hint=0x38  Cancels=0x0 
    MSRPC:c/o Request: unknown   Call=0xC23  Opnum=0x4C  Context=0x1  Hint=0x40 Warning: Octets trailer appends to authentication token
    MSRPC:c/o Response: unknown   Call=0xC23  Context=0x1  Hint=0x38  Cancels=0x0 
    TCP:Flags=...A...., SrcPort=52852, DstPort=1025, PayloadLen=0, Seq=1099108814, Ack=3497562888, Win=254
    MSRPC:c/o Request: unknown   Call=0xC24  Opnum=0x4C  Context=0x1  Hint=0x40 Warning: Octets trailer appends to authentication token
    MSRPC:c/o Response: unknown   Call=0xC24  Context=0x1  Hint=0x38  Cancels=0x0 
    MSRPC:c/o Request: unknown   Call=0xC25  Opnum=0x4C  Context=0x1  Hint=0x40 Warning: Octets trailer appends to authentication token
    MSRPC:c/o Response: unknown   Call=0xC25  Context=0x1  Hint=0x38  Cancels=0x0 
    MSRPC:c/o Request: unknown   Call=0xC26  Opnum=0x4C  Context=0x1  Hint=0x40 Warning: Octets trailer appends to authentication token
    MSRPC:c/o Response: unknown   Call=0xC26  Context=0x1  Hint=0x38  Cancels=0x0 
    TCP:Flags=...A...., SrcPort=52852, DstPort=1025, PayloadLen=0, Seq=1099109270, Ack=3497563272, Win=253
    MSRPC:c/o Request: unknown   Call=0xC27  Opnum=0x4C  Context=0x1  Hint=0x40 Warning: Octets trailer appends to authentication token
    MSRPC:c/o Response: unknown   Call=0xC27  Context=0x1  Hint=0x38  Cancels=0x0 
    MSRPC:c/o Request: unknown   Call=0xC28  Opnum=0x4C  Context=0x1  Hint=0x40 Warning: Octets trailer appends to authentication token
    MSRPC:c/o Response: unknown   Call=0xC28  Context=0x1  Hint=0x38  Cancels=0x0 
    MSRPC:c/o Request: unknown   Call=0xC29  Opnum=0x4C  Context=0x1  Hint=0x40 Warning: Octets trailer appends to authentication token
    MSRPC:c/o Response: unknown   Call=0xC29  Context=0x1  Hint=0x38  Cancels=0x0 

    TCP:Flags=...A...., SrcPort=52852, DstPort=1025, PayloadLen=0, Seq=1099109726, Ack=3497563656, Win=251

    I then decided to remove the windows 7 computer from the domain.  Upon rebooting into windows 7 I still had some activity going on, but was unable to log anything because there were no adapters listed in netmon.  Upon booting back into the XP partition everything seems fine and I no longer have the excess traffic.  I don't know why removing the win7 computer account from the domain caused the problem to go away, but that's really the only thing I did.  I never had any issues with having both accounts on the domain before, so maybe something got screwed up.  I'm not sure if I want to try adding it back at the moment since it appears to be fixed.

    If anyone has any wild ideas as to why what happened occurred, I'm all ears.

    Thanks


    Josh

    Friday, April 20, 2012 2:23 AM