Very strange behavior between Win7 and W2k3. From Win7 \<servername> and the wireshark on that workstation does not capture the session setup request. A laptop running wireshark on a span port of the Win7 device does see the session setup request packets. This coincides with a significant delay in actually seeing the shares on the server. There are lots of theories and work arounds for the issue, but they don't seem to change that the setup request packet is missed by wireshark but is put on the wire. Anyone have any thoughts? Mike asked 29 Nov '10, 13:11  JoeChieftain |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Mike, some questions 1) Are you capturing the packets from boot up? Many CIFS sessions are long-lived.
2) Are you filtering the capture? Remember, the conversation can be happening with the AD server, or any other server that's housing the virtual share.
If you are capturing from boot up without any filters, I would say it's a bug. But if not, I would say it's a filtering (most likely) problem.
I think if he can capture it on a spanned port, but not on the local system then he's just missed the packets. This is an example of why one would capture on a spanned port or even better a tap me thinks.