This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, I have a network performance issue and a quick wireshark capture shows a high traffic between my client and the NAS. This doesn't occur frequently but it seems to have disrupt the office network.

Based on the capture below which lasted 10 mins, how can i go deeper into the each packets to see if there was a bottleneck in bandwidth or was there any other possibilities that might have slow down the network?

alt text

alt text

asked 03 Dec '16, 00:33

doran_lum's gravatar image

doran_lum
11111116
accept rate: 0%

Easily said in your case you can use tcptrace or the smb request stats.

An other way could be that you share us a at a public accessible place like dropbox, google drive or cloudshark.

(03 Dec '16, 02:18) Christian_R

Thanks, I was looking at this link to see if it's link to a DOS attack using this vulnerability.

https://www.symantec.com/security_response/vulnerability.jsp?bid=33121

pcap file: https://drive.google.com/open?id=0B6Euh1o48D7ESkpOSUVnSEo4YzQ

(05 Dec '16, 04:29) doran_lum

For me the traffic on port 445 looks good. It is normal SMB (Windows network file sharing and can be used for NAS) and it seems that someone downloads a vmplayer.exe. So everything looks calm on this port to me.

But there is a lot of traffic on Port 9001. Port 9001 can be used for Sharepoint authoring or for TOR-Browsing. There is huge traffic to the internet (5.135.184.158) on that port, this could slow down your network, FW or WAN interface. The traffic comes from 192.168.70.8 on Port 53947

You can see that stas under: Statitstics -> Conversations - TCP And then you can sort by each column you want.

permanent link

answered 05 Dec '16, 08:40

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

edited 06 Dec '16, 00:51

Thanks, how did you find out that someone was downliading the vmplayer ? I was trying to search on wireshark and networkminer but can't seem to find it.

Anyway a vmplayer.exe file would be less than 100MB, so it's unlikely it can slow down the network.

Yes for the port 9001, i show it as second highest byte under Conversations.

(06 Dec '16, 05:39) doran_lum

Sorry I found it out by filtering smb.cmd==46

I also can see .m4v files being play. May I ask how do I tell if the movie file i being download or being stream from the NAS ?

(06 Dec '16, 05:52) doran_lum

Please try this displayfilter:


((smb.cmd == 0xa2) && (smb.nt_status == 0x00000000) && !(smb.fid.opened_in)) && !(smb.file == "")

And there we find the evidence that Port 9001 is TOR

(06 Dec '16, 06:26) Christian_R

Well, you have to enable TCP Reassembly. Right click TCP header in Packet Detail. Select Protocol preferences. Enable TCP reassembly.

Then select a SMB packet. And then choose the export SMB objects dialog. Now you get all the transfered objects.

(06 Dec '16, 11:45) Christian_R
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×13

question asked: 03 Dec '16, 00:33

question was seen: 2,440 times

last updated: 06 Dec '16, 12:00

p​o​w​e​r​e​d by O​S​Q​A