This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SMB Expression for Close Request Time…

0

Hello,

So I'm troubleshooting some SMB issues where files on a NAS are taking a long time to close. So I have a filter for "smb2.cmd == 6" which is the SMB command issued for closing a file. I can run a different filter "tcp.ack == 1510 or tcp.seq == 1510" which will give me the request and the acknowledgement.

But what really want to be able to create an expression that will allow me to filter on the close and any close function that is greater than let's say 20ms.

So I would assume using the "smb2.cmd == 6" along with something else would get me there. Can someone help me with that expression and/or filter? So maybe even a filter that gives me the close command, acknowledgement and only those with a time difference greater then a number a choose.

I'm being told closing files is taking 10-30 seconds so I would really want to search within that time frame.

asked 10 Dec '15, 17:22

ew0506's gravatar image

ew0506
11236
accept rate: 0%

The filter I was thinking was something to this degree, but I'm missing something cause it's still red (invalid).

smb2.cmd == 6 && tcp.ack == && or tcp.seq == && time > 1

(10 Dec '15, 17:53) ew0506

2 Answers:

0

Leaving aside the syntax errors in your suggestion of the filter, there may be an issue with the notion of time.

smb.time is "time from samba request" (in seconds) and it is only calculated for responses to that request, and "command" and "request" may not mean the same. But try

smb2.cmd == 6 and smb2.time > 0.02

If it is the solution, please accept it by clicking the checkmark. If it is not, send a comment to this answer.

answered 11 Dec '15, 05:54

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 11 Dec '15, 05:58

1

Filters can't be used to compare things between packets, they are a yes\no match on each packet in turn.

However, if the packet in question has a field, such as smb2.time which shows the time between the request and response, then that could be used in a filter.

A filter of (smb2.cmd == 6) and smb2.time will show all SMB2 close responses, the latter part of the filter can be modified to compare against a specific time value, e.g. (smb2.time > 0.1) to display all responses that took greater than 100 mS from the request.

What that filter doesn't show is the associated request, and it's not possible to do that with a filter as there is no smb2.time field in the request.

The Wireshark MATE system may be able to help here, as that allows associations between packets to be built.

answered 11 Dec '15, 05:59

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks to both you, Graham and Sindy - your answers helped a tremendous amount. So it makes it that mush easier to widdle down a 288,000+ packet trace and and then follow only particular threads from there.

Much appreciated!

(11 Dec '15, 09:15) ew0506

You can use TRANSUM to add SMB2 response times to request packet decodes. It will show as APDU Resp Time which you can then Apply as a column.

(14 Dec '15, 06:32) PaulOfford