This is our old Q&A Site. Please post any new questions and answers at

Very strange behavior between Win7 and W2k3. From Win7 \<servername> and the wireshark on that workstation does not capture the session setup request. A laptop running wireshark on a span port of the Win7 device does see the session setup request packets. This coincides with a significant delay in actually seeing the shares on the server.

There are lots of theories and work arounds for the issue, but they don't seem to change that the setup request packet is missed by wireshark but is put on the wire.

Anyone have any thoughts?


asked 29 Nov '10, 13:11

JoeChieftain's gravatar image

accept rate: 0%

Mike, some questions 1) Are you capturing the packets from boot up? Many CIFS sessions are long-lived.
2) Are you filtering the capture? Remember, the conversation can be happening with the AD server, or any other server that's housing the virtual share.

If you are capturing from boot up without any filters, I would say it's a bug. But if not, I would say it's a filtering (most likely) problem.

(29 Nov '10, 13:53) hansangb

I think if he can capture it on a spanned port, but not on the local system then he's just missed the packets. This is an example of why one would capture on a spanned port or even better a tap me thinks.

(02 Dec '10, 00:26) lchappell ♦
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 29 Nov '10, 13:11

question was seen: 1,968 times

last updated: 02 Dec '10, 00:26

p​o​w​e​r​e​d by O​S​Q​A