can someone please check this for me, I can't find any current Bug in bugzilla: Running 1.99.7 64Bit in Windows 7SP1 I have a permanent stream of SMB2 Traffic in the background. After literally 7 Seconds of ceaseless searching, I noticed that the SYSTEM account is Create Request / Response / close Response for any file listed in my Open Files list on the Welcome to Wireshark page. I have a list of 15 files there, 13 of which were deleted. But the 2 that remained are being polled for as long as Wireshark is open. I added a new file to the list, it too was then polled until I deleted the actual pcap. I have opened Wireshark Legacy and confirmed that the traffic is not there until I open 1.99.7 (1.99.7 does not need to be actively capturing or reading, just open) Is this a problem with my setup or is this a bug? Both files are on a remote mapped share (K:), can someone confirm this and then I'll open a bug report. asked 12 Aug '15, 23:43 DarrenWright showing 5 of 7 show 2 more comments |
One Answer:
This is Wireshark trying to keep the "recent files" list up to date if files are removed or renamed or if the file system they're mounted on is unmounted (or whatever it's called on Windows), by checking all of them every 2 seconds. On Windows, OS X, Linux, and FreeBSD, there are ways we can arrange to get notifications of file removal/renaming and unmounts, so we can at least do better for Wireshark on those platforms. Please file a bug on this on the Wireshark Bugzilla, so the problem is tracked. answered 14 Aug '15, 18:52 Guy Harris ♦♦ will do. Sorry was on holiday for a couple of days. Legoland lenkt ab :D If there's not currently a bug, I'll file one tomorrow morning, too tired now. (19 Aug '15, 14:14) DarrenWright Bug 11546 was filed on this. (25 Sep '15, 00:50) Guy Harris ♦♦ Yeah, filed that this morning finally. I'll let this thread die / someone can close it for further comments as far as I am concerned. (25 Sep '15, 06:11) DarrenWright |
Your description of the problem is not clear to me.
Can you confirm you are running a legacy version (what version, or do you mean the legacy version or GTK version of 1.99.7?) of Wireshark, presumably capturing traffic, but don't see the SMB traffic. When you run 1.99.7, then you do see the SMB traffic in the legacy version.
What do you mean "run 1.99.7", is that just starting the application or capturing traffic. Is the 1.99.7 version you're running the new Qt version of 1.99.7?
What are the source and destination of the SMB traffic?
Version 1.99.7 (v1.99.7-0-g03c02f3 from master)
Copyright 1998-2015 Gerald Combs [email protected] and contributors. License GPLv2+: GNU GPL version 2 or later http://www.gnu.org/licenses/old-licenses/gpl-2.0.html This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.3.1, with WinPcap (unknown), with libz 1.2.8, with GLib 2.42.0, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.2, with GnuTLS 3.2.15, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, without PortAudio, with AirPcap.
Running on 64-bit Windows 7 Service Pack 1, build 7601, with locale C, without WinPcap, with GnuTLS 3.2.15, with Gcrypt 1.6.2, without AirPcap. Intel(R) Core(TM) i7-4600M CPU @ 2.90GHz (with SSE4.2), with 8097MB of physical memory.
Built using Microsoft Visual C++ 12.0 build 31101
Wireshark is Open Source Software released under the GNU General Public License.
Check the man page and http://www.wireshark.org for more information.
1.99.7 (QT) does not need to be actively capturing or reading, just open to generate the traffic. When I am not actively capturing in QT, I started GTK or Dumpcap directly to see the traffic
The source is my computer and the destination is the location of the files (a remote share mapped as K:) The source process on my computer is System(PID 4 / NT Kernal & System).
The traffic ONLY appears when 1.99.7 QT is started and ONLY goes away when A: the file is deleted or B: 1.99.7 QT is closed.
I can see the traffic in the 1.99.7 QT as well as in the 1.99.7 GTK version, but only when QT is running.
Out of interest (in case of local caching or some other window gumpf) I left 1.99.7 QT open for an hour and then began a new trace. Traffic is still there.
Do you have recent files (as shown in Qt Wireshark) on that share?
I already said they are the files shown in my open file list on the wireshark home page. They are also listed under recent files. There are also 2 files listed from my local D: drive, I cannot see any file activity regarding them in any monitoring tool up to now. (sysinternals etc)
There are 15 files listed. 13 have been deleted and the other 2 are the ones listed in the SMB calls. If I open another one, it also has SMB calls until I move / delete it from the share.
Sounds like the Qt version is scanning the recent files, looking for changes.
It's doing so every two seconds:
in
WiresharkApplication::WiresharkApplication()
in ui/qt/wireshark_application.cpp.The comment before
WiresharkApplication::refreshRecentFiles()
says:The good news is that, at least in some OSes, you can ask for notifications if a file is removed or if the list of mounted volumes changed.
The bad news is that the way you do that is OS-dependent, and it might not be doable on all OSes.
Please file a bug on this on the Wireshark Bugzilla, so the problem is tracked.
(And, yes, this is happening; I started Wireshark up on OS X, and ran
fs_usage
to watch what it was doing, and every two seconds it did a sequence ofaccess()
calls on all the files in the recent list.)